AccessDeniedException when calling AWS Textract

Support
1

Any idea why I get this error when my code is hosted on Netlify?

User: arn:aws:sts::514272109237:assumed-role/aws-lambda-execute/fb6531b17247d0cf2fea8feab20b3b6381b0ba859c752fd545d288cf082ee84a is not authorized to perform: textract:AnalyzeID because no identity-based policy allows the textract:AnalyzeID action"

I am using the folder structure “pages/api/etl”. When I run the code on my local machine, I do not experience the error because the code is not loaded into a serverless function.

In my AWS account, I have set up an AssumeRole policy on the user associated with the keys set in my environment variables. However, it didn’t fix the problem, and I’m wondering if this is a Netlify user permission problem.

Has anyone encountered this error or something similar? What are the steps to resolve?

const textract = new aws.Textract({ 
    apiVersion: '2018-06-27',
    region: process.env.AWS_TEXTRACT_REGION,
    aws_access_key_id: process.env.AWS_TEXTRACT_ACCESS_KEY_ID,
    aws_secret_access_key: process.env.AWS_TEXTRACT_SECRET_ACCESS_KEY        
});

const analyzeIdentity = await textract.analyzeID(textractParams).promise()
    .catch((error) => {
        console.error('AnalyzeID Error: ', error);
        throw error;
    }
);
2

Not too familiar with Textract, but these kinds of errors usually happen when the AWS location of your Lambda and the other service doesn’t match (Netlify uses AWS Lambda for Netlify Functions. Next.js API runs on Netlify Functions).

By default, the location of Lambda is in us-east-1. Are you using the same location for the other service?

3

Yes…
const textract = new aws.Textract({
apiVersion: ‘2018-06-27’,
region: process.env.AWS_TEXTRACT_REGION, // us-east-1
aws_access_key_id: process.env.AWS_TEXTRACT_ACCESS_KEY_ID,
aws_secret_access_key: process.env.AWS_TEXTRACT_SECRET_ACCESS_KEY
});

4

I’m curious did you say this worked locally before? Did you confirm the IAM user associated with the AWS credentials being used in your code has the required permissions to call the textract:AnalyzeID action?