AWS Rekognition gives an InvalidS3Exception error

Asked 13/6, 2017 at 22:32 Answered 22/9, 2022 at 11:17

amazon-web-services amazon-s3 amazon-rekognition

Every time I run the command

aws rekognition detect-labels --image "S3Object={Bucket=BucketName,Name=picture.jpg}" --region us-east-1

I get this error.

InvalidS3ObjectException: An error occurred (InvalidS3ObjectException) when calling the DetectLabels operation: Unable to get image metadata from S3. Check object key, region and/or access permissions.

I am trying to retrieve labels for a project I am working on but I can't seem to get past this step. I configured aws with my access key, secret key, us-east-1 region, and json as my output format.

I have also tried the code below and I receive the exact same error (I correctly Replaced BucketName with the name of my bucket.)

import boto3

BUCKET = "BucketName"
KEY = "picture.jpg"

def detect_labels(bucket, key, max_labels=10, min_confidence=90, region="eu-west-1"):
    rekognition = boto3.client("rekognition", region)
    response = rekognition.detect_labels(
        Image={
            "S3Object": {
                "Bucket": bucket,
                "Name": key,
            }
        },
        MaxLabels=max_labels,
        MinConfidence=min_confidence,
    )
    return response['Labels']


for label in detect_labels(BUCKET, KEY):
    print "{Name} - {Confidence}%".format(**label)

I am able to see on my user account that it is calling Rekognition. Image showing it being called from IAM.

It seems like the issue is somewhere with my S3 bucket but I haven't found out what.

Wainscot answered 13/6, 2017 at 22:32 Comment(3)

It is apparent from the error that your request is reaching Rekognition, which can't access the object in the bucket. Rekognition will not make a cross-region request to S3 -- the bucket must be in the same region where you're invoking Rekognition. docs.aws.amazon.com/rekognition/latest/dg/API_S3Object.html – Sennight 14/6, 2017 at 13:10

@michael-sqlbot My bucket was in US east Ohio but the URL was saying us-east-1 so I thought it was in the Virginia one. I fixed it. I works now thank you very much. – Wainscot 14/6, 2017 at 19:47

I'm facing the same issue, but nowadays AWS doesn't specify bucket regions, as its beyond our control. What to do? – Erhard 3/1, 2020 at 11:40

Region of S3 and Rekognition should be the same for stability reasons.

More info: https://forums.aws.amazon.com/thread.jspa?threadID=243999

Athenian answered 4/6, 2018 at 9:50 Comment(2)

I'm facing the same issue, but nowadays AWS doesn't specify bucket regions, as its beyond our control. What to do? – Erhard 3/1, 2020 at 11:40

You need to specify the region while creating a bucket. There is an option to do that from both AWS console UI and CLI – Athenian 8/1, 2020 at 8:58

Kindly check your IAM Role Policies/Permissions, Also check the same for the role created for the lambda function. It's better to verify the policy using IAM Policy Checker.

I am facing a similar issue, This might due to the Permissions and Policy attached with the IAM Roles and with S3 Bucket. Need to check the metadata as well for the objects in S3 bucket.

My S3 bucket Policy:

{
"Version": "2012-10-17",
"Id": "Policy1547200240036",
"Statement": [
    {
        "Sid": "Stmt1547200205482",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::459983601504:user/veral"
        },
        "Action": [
            "s3:GetObject",
            "s3:PutObject"
        ],
        "Resource": "arn:aws:s3:::esp32-rekognition-459983601504/*"
    }
]
}

Cross-origin resource sharing (CORS):

[
{
    "AllowedHeaders": [
        "*"
    ],
    "AllowedMethods": [
        "PUT",
        "POST",
        "GET",
        "DELETE"
    ],
    "AllowedOrigins": [
        "*"
    ],
    "ExposeHeaders": []
}
]

Oculomotor answered 18/6, 2021 at 5:56 Comment(2)

Thats a part, there is not much information about how (CORS) should be check, where to be check and how to add those. – Kizzie 28/3, 2023 at 2:13

Found it, it is under, s3 bucket permissions, at the bottom – Kizzie 28/3, 2023 at 2:25

If you use Server Side encryption for the bucket via KMS, remember to also have/give access to IAM role to decrypt using the KMS

Supplication answered 22/9, 2022 at 11:17 Comment(0)

Recommended topics

Hot tags