Cannot access public S3 bucket

George_Zoto · April 30, 2018, 6:28pm

Hello Dremio team,

I am a big fan of your work and product! I am having issues using Dremio though with a public S3 bucket of mine. I created this bucket with public access and has an Access Control List for Everyone to “List Objects” and “Read Bucket Permissions”. This account has other bucket that are private as well.

I get the following error:
java.lang.RuntimeException: java.io.IOException: Unable to retrieve bucket named “xyz”

My configuration has a name and “https://s3.amazonaws.com/xyz” listed under External Buckets and nothing else.

The documentation has only one slide on S3 that is very cryptic in terms of configuration on the Dremio side:
https://docs.dremio.com/data-sources/s3.html

Thank you in advance for your guidance,
George Zoto

can · April 30, 2018, 7:11pm

@George_Zoto thank you fr the kind words. It might be that you are putting the full bucket URL – have you tried just with the bucket name?

Here is a sample S3 source where we connect to our own sample public bucket:

Also, are there any other details in server.log?

George_Zoto · April 30, 2018, 7:39pm

Hello @can,

Thank your for your insight, I was using the full https url. By updating the external bucket name with just the s3 bucket name I now get:

com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 86426831BBB1DAFB), S3 Extended Request ID:

And here are my permission settings for this bucket:

Am I missing something here?

Thank you,
George

George_Zoto · May 1, 2018, 7:00pm

Am I missing something simple here @can?

Thank you again,
George

anthony · May 1, 2018, 7:16pm

What do you have under the “Bucket Policy” tab under “Permissions” ?
Maybe try setting it similar to below

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: “",
“Action”: [
“s3:ListBucket”,
“s3:GetBucketLocation”
],
“Resource”: “arn:aws:s3:::samples.bucket”
},
{
“Sid”: “MakeItPublic”,
“Effect”: “Allow”,
“Principal”: "”,
“Action”: “s3:GetObject”,
“Resource”: “arn:aws:s3:::samples.bucket/*”
}
]
}

George_Zoto · May 1, 2018, 7:35pm

Thank you @Anthony, it worked

Just to understand though, ACLs are not enough to allow Dremio access to a public S3 bucket?
Do you need a bucket policy no matter what?

Also, in my case Principal field was not allowed to be empty so here is the revised policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::mybucket"
},
{
"Sid": "MakeItPublic",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3::: mybucket/*"
}
]
}

Topic		Replies	Views
Error accessing S3 (can see bucket list but not objects)	4	4609	June 11, 2018
Error fetching objects stored in private S3 bucket	10	2687	November 15, 2018
Access was denied by S3 when using public buckets	0	992	September 6, 2021
AWS Bucket Access	7	3053	July 21, 2017
Dremio with Hive and S3 Dremio University	4	782	December 7, 2023

Cannot access public S3 bucket

Related topics