IAM Permissions Errors When Using boto3 for AWS Comprehend

Question

I'm playing around with the command line to run some sentiment analysis through aws and am running into some IAM issues. When running the "detect_dominant_language" function, I'm hitting NotAuthorizedExceptions despite having the policy in place to allow for all comprehend functions. The policy for the account is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "comprehend:*",
                "s3:ListAllMyBuckets",
                "s3:ListBucket",
                "s3:GetBucketLocation",
                "iam:ListRoles",
                "iam:GetRole"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Any ideas of where I might be going wrong with this? I've triple-checked my access key to make sure that I'm referring to the correct account. When I check the policy, it's there so I'm a little bit at a loss as to the disconnect. S3 seems to be working fine as well.

Steps already taken:

1. Resetting access key/secret access key.
2. Creating iam policy which explicitly refers to the needed functionality and attaching it to the "Admin" user.
3. Calling this method from the CLI (get the same error).

Below, I've included additional information that may be helpful...

Code to check iam policies:

iam = boto3.client('iam',
                   aws_access_key_id = '*********************',
                   aws_secret_access_key = '*************************************')

iam.list_attached_user_policies(UserName="Admin")

Output:

{'AttachedPolicies': [{'PolicyName': 'ComprehendFullAccess',
   'PolicyArn': 'arn:aws:iam::aws:policy/ComprehendFullAccess'},
  {'PolicyName': 'AdministratorAccess',
   'PolicyArn': 'arn:aws:iam::aws:policy/AdministratorAccess'},
  {'PolicyName': 'Comprehend-Limitied',
   'PolicyArn': 'arn:aws:iam::401311205158:policy/Comprehend-Limitied'}],
 'IsTruncated': False,
 'ResponseMetadata': {'RequestId': '9094d8ff-1730-44b8-af0f-9222a63b32e9',
  'HTTPStatusCode': 200,
  'HTTPHeaders': {'x-amzn-requestid': '9094d8ff-1730-44b8-af0f-9222a63b32e9',
   'content-type': 'text/xml',
   'content-length': '871',
   'date': 'Thu, 20 Jan 2022 21:48:11 GMT'},
  'RetryAttempts': 0}}

Code to trigger error:

comprehend = boto3.client('comprehend',
                   aws_access_key_id = '*********************',
                   aws_secret_access_key = '********************************')

test_language_string = "This is a test string. I'm hoping that AWS Comprehend can interprete this as english..."

comprehend.detect_dominant_language(Text=test_language_string)

Output:

ClientError: An error occurred (NotAuthorizedException) when calling the DetectDominantLanguage operation: Your account is not authorized to make this call.

Answer 1

I encountered the same error and I end up creating a new user group and a user for that particular API access. Here're the steps in a nutshell:

• Create a user group (e.g. Research)

• Give access to ComprehendFullAccess

• Create a user (e.g. ComprehendUser) under the newly created user group (i.e. Research)

• Bingo! It should work now.

Here is my code snippet:

# import packages
import boto3

# aws access credentials
AWS_ACCESS_KEY_ID = 'your-access-key'
AWS_SECRET_ACCESS_KEY = 'your-secret-key'

comprehend = boto3.client('comprehend',
                          aws_access_key_id=AWS_ACCESS_KEY_ID,
                          aws_secret_access_key=AWS_SECRET_ACCESS_KEY,
                          region_name='us-east-1')

test_language_string = "This is a test string. I'm hoping that AWS Comprehend can interprete this as english..."
comprehend.detect_dominant_language(Text=test_language_string)

Expected Output

{'Languages': [{'LanguageCode': 'en', 'Score': 0.9753355979919434}],
 'ResponseMetadata': {'RequestId': 'd2ab429f-6ff7-4f9b-9ec2-dbf494ebf20a',
  'HTTPStatusCode': 200,
  'HTTPHeaders': {'x-amzn-requestid': 'd2ab429f-6ff7-4f9b-9ec2-dbf494ebf20a',
   'content-type': 'application/x-amz-json-1.1',
   'content-length': '64',
   'date': 'Mon, 07 Feb 2022 16:31:36 GMT'},
  'RetryAttempts': 0}}

Answer 2

UPDATE: Thanks for all the feedback y'all! It turns out us-west-1 doesn't support comprehend. Switching to a different availability zone did the trick, so I would recommend anyone with similar problems try different zones before digging too deep into permissions//access keys.