Amazon Translate no longer works

[nijel]

Describe the issue

Since https://github.com/WeblateOrg/weblate/pull/12520 Amazon Translate no longer works for some credentials.

I already tried

• [X] I've read and searched the documentation.
• [X] I've searched for similar filed issues in this repository.

Steps to reproduce the behavior

1. Create aws credential with access to translate only.
2. Try to configure it in Weblate.

Expected behavior

No response

Screenshots

No response

Exception traceback

ClientError: An error occurred (AccessDeniedException) when calling the ListLanguages operation: User: arn:aws:iam::00000000000:user/weblate is not authorized to perform: translate:ListLanguages because no identity-based policy allows the translate:ListLanguages action
  File "weblate/machinery/base.py", line 256, in supported_languages
    languages = set(self.download_languages())
  File "weblate/machinery/aws.py", line 53, in download_languages
    result = self.client.list_languages()
  File "botocore/client.py", line 569, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "botocore/client.py", line 1023, in _make_api_call
    raise error_class(parsed_response, operation_name)

How do you run Weblate?

weblate.org service

Weblate versions

No response

Weblate deploy checks

No response

Additional context

@gersona This is a regression introduced by https://github.com/WeblateOrg/weblate/pull/12520. I'm not sure if we should work around this by falling back to a previously hard-coded list of languages, or tell users to adjust permissions. The similar issue might exist for glossary manipulation.

@Changaco This is why Amazon Translate is not working on the LibreTranslate project in Weblate. Can you please check permissions for the token? It appears to be able to translate, but not list supported languages.

[sentry-io[bot]]

Sentry Issue: WEBLATE-SRS

[Changaco]

Liberapay's AWS token for Weblate had the AWS-managed TranslateReadOnly permission, defined as:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "translate:TranslateText",
                "translate:TranslateDocument",
                "translate:GetTerminology",
                "translate:ListTerminologies",
                "translate:ListTextTranslationJobs",
                "translate:DescribeTextTranslationJob",
                "translate:GetParallelData",
                "translate:ListParallelData",
                "comprehend:DetectDominantLanguage",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics"
            ],
            "Resource": "*"
        }
    ]
}

I have now replaced it with the following custom policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "translate:ListTextTranslationJobs",
                "translate:GetTerminology",
                "translate:ListTagsForResource",
                "translate:ListTerminologies",
                "translate:ListLanguages",
                "translate:GetParallelData",
                "comprehend:DetectDominantLanguage",
                "translate:TranslateText",
                "translate:DescribeTextTranslationJob",
                "translate:ListParallelData",
                "translate:TranslateDocument"
            ],
            "Resource": "*"
        }
    ]
}

Let me know if that works.

[nijel]

Yes, it works for translating (you can verify it yourself that saving https://hosted.weblate.org/machinery/liberapay/aws/ does not yield an error), but will probably fail for glossary sync. And thanks for providing the policy name, I was able to find the docs on that now: https://docs.aws.amazon.com/aws-managed-policy/latest/reference/TranslateFullAccess.html

Anyway, for glossary sync, Weblate will need TranslateFullAccess (or custom permission including at least translate:ListTerminologies, translate:ImportTerminology and translate:DeleteTerminology).

Now I can see two approaches to address this:

• Document that Weblate requires TranslateFullAccess policy and let users deal with the failures.
• Handle failure in listing languages by using hard-coded list and handle failure in glossary sync and skip glossary sync in that case.

I think requiring full access is a better approach as users will know that something is misconfigured, the silently ignored errors in second approach will make the change invisible.

[gersona]

@nijel What is the best way to inform users of the additional permission requirement beyond updating the documentation ?

[nijel]

Mention this in compatibility section in the changes.

[github-actions[bot]]

Thank you for your report; the issue you have reported has just been fixed.

• In case you see a problem with the fix, please comment on this issue.
• In case you see a similar problem, please open a separate issue.
• If you are happy with the outcome, don’t hesitate to support Weblate by making a donation.