AWS Glue Jupyter Notebook Failed to authenticate user

Asked 31/3, 2022 at 10:2 Answered 23/6, 2023 at 7:47

When I started job with IAM Role AWSGlueServiceNotebookRoleDefault I have this error:

Failed to authenticate user due to missing information in request.

No information in docs about this error.

I do everything from this and this, I have two buckets crawler-public-service & aws-glue-service.

GlueServiceNotebookPolicyDefault:

{  
    "Version":"2012-10-17",
    "Statement":[  
       {  
          "Effect":"Allow",
          "Action":[  
             "glue:CreateDatabase",
             "glue:CreatePartition",
             "glue:CreateTable",
             "glue:DeleteDatabase",
             "glue:DeletePartition",
             "glue:DeleteTable",
             "glue:GetDatabase",
             "glue:GetDatabases",
             "glue:GetPartition",
             "glue:GetPartitions",
             "glue:GetTable",
             "glue:GetTableVersions",
             "glue:GetTables",
             "glue:UpdateDatabase",
             "glue:UpdatePartition",
             "glue:UpdateTable",
             "glue:GetJobBookmark",
             "glue:ResetJobBookmark",
             "glue:CreateConnection",
             "glue:CreateJob",
             "glue:DeleteConnection",
             "glue:DeleteJob",
             "glue:GetConnection",
             "glue:GetConnections",
             "glue:GetDevEndpoint",
             "glue:GetDevEndpoints",
             "glue:GetJob",
             "glue:GetJobs",
             "glue:UpdateJob",
             "glue:BatchDeleteConnection",
             "glue:UpdateConnection",
             "glue:GetUserDefinedFunction",
             "glue:UpdateUserDefinedFunction",
             "glue:GetUserDefinedFunctions",
             "glue:DeleteUserDefinedFunction",
             "glue:CreateUserDefinedFunction",
             "glue:BatchGetPartition",
             "glue:BatchDeletePartition",
             "glue:BatchCreatePartition",
             "glue:BatchDeleteTable",
             "glue:UpdateDevEndpoint",
             "s3:GetBucketLocation",
             "s3:ListBucket",
             "s3:ListAllMyBuckets",
             "s3:GetBucketAcl"
          ],
          "Resource":[  
             "*"
          ]
       },
       {  
          "Effect":"Allow",
          "Action":[  
             "s3:GetObject"
          ],
          "Resource":[  
             "arn:aws:s3:::crawler-public*",
             "arn:aws:s3:::aws-glue*"
          ]
       },
       {  
          "Effect":"Allow",
          "Action":[  
             "s3:PutObject",
             "s3:DeleteObject"          
          ],
          "Resource":[  
             "arn:aws:s3:::aws-glue*"
          ]
       },
       {  
          "Effect":"Allow",
          "Action":[  
             "ec2:CreateTags",
             "ec2:DeleteTags"
          ],
          "Condition":{  
             "ForAllValues:StringEquals":{  
                "aws:TagKeys":[  
                   "aws-glue-service-resource"
                ]
             }
          },
          "Resource":[  
             "arn:aws:ec2:*:*:network-interface/*",
             "arn:aws:ec2:*:*:security-group/*",
             "arn:aws:ec2:*:*:instance/*"
          ]
       },
       {  
         "Effect":"Allow",
         "Action":[  
            "kms:Decrypt"
         ],
         "Resource":[  
            "arn:aws:kms:*:id:key/key-id"
         ]
      }
    ]
 }

AWSGlueServiceNotebookRoleDefault:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "glue.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

How to fix this? Thanks!

Sollars answered 31/3, 2022 at 10:2 Comment(1)

I try to create new role with AWSGlueServiceRole + AmazonS3FullAccess, but still have the same error – Sollars 31/3, 2022 at 10:29

I was experiencing the same problem using chrome. Solved it by going to Chrome -> Settings -> Safety -> Cookies -> Under user defined settings add a website that is always allowed cookies named "[*.]aws.amazon.com"

I believe your roles are fine.

Ide answered 16/5, 2022 at 11:5 Comment(3)

In Safari 15, there is no option to allow third party cookies for individual websites, so you are stuck with disabling "Prevent cross-site tracking" across the board from Preferences -> Privacy. – Hock 31/8, 2022 at 21:16

In Firefox 103, once you try to open the notebook and see the error, click on the shield icon on the left of the address bar, and disable "Enhanced Tracking Protection". – Hock 31/8, 2022 at 21:19

FYI you also need to whitelist amazonaws.com as well. AWS are in a right mess with their domains. – Hypnogenesis 9/10 at 7:47

This strange behavior reproduces in Safari. In Chrome all works perfect.

Sollars answered 31/3, 2022 at 13:16 Comment(1)

For me Firefox worked (v 101.0), but not Edge (v 102.0) – Lennox 29/6, 2022 at 9:17

This is Safari blocking third party cookies by default. The notebook domain and the AWS console domain are different and Safari will block cross-site cookies due to privacy (tracking) concerns.

You can allowlist the notebook domain or disable third party cookie blocking in Safari.

Enchondroma answered 8/4, 2022 at 17:51 Comment(0)

On safari, you can go to Preferences > Privacy > Prevent Cross Site Tracking (disable the box of this). Then you should be able to use it as expected. This unblocks me from using Glue notebook.

Alvin answered 23/6, 2023 at 7:47 Comment(0)

I had this same issue 15.11.2022. I tried all the above and tried on several browsers/OS. We were able to repeat the issue on all of them, so we sent a support ticket to AWS and they replied that it was a data centre wide issue that was being resolved. As of this morning it is resolved.

Goeger answered 16/11, 2022 at 9:6 Comment(0)

Recommended topics

Hot tags