Error adding a China s3 source

1

When I added a s3 source in dremio 4.0, I got the error info:
Caused by: java.lang.RuntimeException: Credential Verification failed. Exception: The security token included in the request is invalid. (Service: Sts, Status Code: 403, Request ID: ddb86b20-e05a-11e9-9f64-d129e79d5ea4)
at com.dremio.plugins.s3.store.S3FileSystem.verifyCredentials(S3FileSystem.java:201) ~[dremio-s3-plugin-4.0.0-201909121834570395-c7a5071.jar:4.0.0-201909121834570395-c7a5071]
at com.dremio.plugins.s3.store.S3FileSystem.setup(S3FileSystem.java:174) ~[dremio-s3-plugin-4.0.0-201909121834570395-c7a5071.jar:4.0.0-201909121834570395-c7a5071]
at com.dremio.plugins.util.ContainerFileSystem.initialize(ContainerFileSystem.java:156) ~[dremio-s3-plugin-4.0.0-201909121834570395-c7a5071.jar:4.0.0-201909121834570395-c7a5071]
at com.dremio.exec.store.dfs.FileSystemPlugin$1.lambda$load$0(FileSystemPlugin.java:195) ~[dremio-sabot-kernel-4.0.0-201909121834570395-c7a5071.jar:4.0.0-201909121834570395-c7a5071]
at java.security.AccessController.doPrivileged(Native Method) ~[na:1.8.0_60]
at javax.security.auth.Subject.doAs(Subject.java:422) ~[na:1.8.0_60]
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1730) ~[hadoop-common-3.2.0-dremio-201909041046110436-7295d98.jar:na]
at com.dremio.exec.store.dfs.FileSystemPlugin$1.load(FileSystemPlugin.java:200) ~[dremio-sabot-kernel-4.0.0-201909121834570395-c7a5071.jar:4.0.0-201909121834570395-c7a5071]
at com.dremio.exec.store.dfs.FileSystemPlugin$1.load(FileSystemPlugin.java:177) ~[dremio-sabot-kernel-4.0.0-201909121834570395-c7a5071.jar:4.0.0-201909121834570395-c7a5071]
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3628) ~[guava-20.0.jar:na]
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2336) ~[guava-20.0.jar:na]
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2295) ~[guava-20.0.jar:na]
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2208) ~[guava-20.0.jar:na]
… 13 common frames omitted
Caused by: software.amazon.awssdk.services.sts.model.StsException: The security token included in the request is invalid. (Service: Sts, Status Code: 403, Request ID: ddb86b20-e05a-11e9-9f64-d129e79d5ea4)
at software.amazon.awssdk.core.internal.http.pipeline.stages.HandleResponseStage.handleErrorResponse(HandleResponseStage.java:115) ~[sdk-core-2.5.37.jar:na]
at software.amazon.awssdk.core.internal.http.pipeline.stages.HandleResponseStage.handleResponse(HandleResponseStage.java:73) ~[sdk-core-2.5.37.jar:na]
at software.amazon.awssdk.core.internal.http.pipeline.stages.HandleResponseStage.execute(HandleResponseStage.java:58) ~[sdk-core-2.5.37.jar:na]
at software.amazon.awssdk.core.internal.http.pipeline.stages.HandleResponseStage.execute(HandleResponseStage.java:41) ~[sdk-core-2.5.37.jar:na]
at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206) ~[sdk-core-2.5.37.jar:na]
at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallAttemptTimeoutTrackingStage.execute(ApiCallAttemptTimeoutTrackingStage.java:64) ~[sdk-core-2.5.37.jar:na]
at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallAttemptTimeoutTrackingStage.execute(ApiCallAttemptTimeoutTrackingStage.java:36) ~[sdk-core-2.5.37.jar:na]
at software.amazon.awssdk.core.internal.http.pipeline.stages.TimeoutExceptionHandlingStage.execute(TimeoutExceptionHandlingStage.java:77) ~[sdk-core-2.5.37.jar:na]
at software.amazon.awssdk.core.internal.http.pipeline.stages.TimeoutExceptionHandlingStage.execute(TimeoutExceptionHandlingStage.java:39) ~[sdk-core-2.5.37.jar:na]
at software.amazon.awssdk.core.internal.http.pipeline.stages.RetryableStage$RetryExecutor.doExecute(RetryableStage.java:113) ~[sdk-core-2.5.37.jar:na]
at software.amazon.awssdk.core.internal.http.pipeline.stages.RetryableStage$RetryExecutor.execute(RetryableStage.java:86) ~[sdk-core-2.5.37.jar:na]
at software.amazon.awssdk.core.internal.http.pipeline.stages.RetryableStage.execute(RetryableStage.java:62) ~[sdk-core-2.5.37.jar:na]
at software.amazon.awssdk.core.internal.http.pipeline.stages.RetryableStage.execute(RetryableStage.java:42) ~[sdk-core-2.5.37.jar:na]
at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206) ~[sdk-core-2.5.37.jar:na]
at software.amazon.awssdk.core.internal.http.StreamManagingStage.execute(StreamManagingStage.java:57) ~[sdk-core-2.5.37.jar:na]
at software.amazon.awssdk.core.internal.http.StreamManagingStage.execute(StreamManagingStage.java:37) ~[sdk-core-2.5.37.jar:na]
at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallTimeoutTrackingStage.executeWithTimer(ApiCallTimeoutTrackingStage.java:80) ~[sdk-core-2.5.37.jar:na]
at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallTimeoutTrackingStage.execute(ApiCallTimeoutTrackingStage.java:60) ~[sdk-core-2.5.37.jar:na]
at software.amazon.awssdk.core.internal.http.pipeline.stages.ApiCallTimeoutTrackingStage.execute(ApiCallTimeoutTrackingStage.java:42) ~[sdk-core-2.5.37.jar:na]
at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206) ~[sdk-core-2.5.37.jar:na]
at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206) ~[sdk-core-2.5.37.jar:na]
at software.amazon.awssdk.core.internal.http.pipeline.stages.ExecutionFailureExceptionReportingStage.execute(ExecutionFailureExceptionReportingStage.java:37) ~[sdk-core-2.5.37.jar:na]
at software.amazon.awssdk.core.internal.http.pipeline.stages.ExecutionFailureExceptionReportingStage.execute(ExecutionFailureExceptionReportingStage.java:26) ~[sdk-core-2.5.37.jar:na]
at software.amazon.awssdk.core.internal.http.AmazonSyncHttpClient$RequestExecutionBuilderImpl.execute(AmazonSyncHttpClient.java:240) ~[sdk-core-2.5.37.jar:na]
at software.amazon.awssdk.core.client.handler.BaseSyncClientHandler.invoke(BaseSyncClientHandler.java:96) ~[sdk-core-2.5.37.jar:na]
at software.amazon.awssdk.core.client.handler.BaseSyncClientHandler.execute(BaseSyncClientHandler.java:120) ~[sdk-core-2.5.37.jar:na]
at software.amazon.awssdk.core.client.handler.BaseSyncClientHandler.execute(BaseSyncClientHandler.java:73) ~[sdk-core-2.5.37.jar:na]
at software.amazon.awssdk.core.client.handler.SdkSyncClientHandler.execute(SdkSyncClientHandler.java:44) ~[sdk-core-2.5.37.jar:na]
at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.execute(AwsSyncClientHandler.java:55) ~[aws-core-2.5.37.jar:na]
at software.amazon.awssdk.services.sts.DefaultStsClient.getCallerIdentity(DefaultStsClient.java:673) ~[sts-2.5.37.jar:na]
at com.dremio.plugins.s3.store.S3FileSystem.verifyCredentials(S3FileSystem.java:199) ~[dremio-s3-plugin-4.0.0-201909121834570395-c7a5071.jar:4.0.0-201909121834570395-c7a5071]
… 25 common frames omitted

I used s3 client to test connection. When I set default region name to “us-west-1”,it failed. When I set default region name to “cn-north-1”,it succeed.
Therefore, I suspect this may be due to s3 region problems.

I set the endpoint setting for the S3 source, property name is “fs.s3a.endpoint”, value is “https://s3.cn-north-1.amazonaws.com.cn”, but it didn’t help.

Can I config s3 region property in dremio, or what can I do to solve this problem?

Thanks.

2

@Wayaye, are you using AWS GovCloud?
Can you try again with fs.s3a.endpoint = s3-cn-north-1.amazonaws.com.cn?

3

@Ye_Li
Hello, the S3 is not AWS GovCloud.
I added property fs.s3a.endpoint = s3.cn-north-1.amazonaws.com.cn, but sorry it did not work.
Fortunately, when I enabled compatibility mode (experimental) in the Advanced Options, it worked! I’m able to run queries now.
Thanks.

4

I referred to this post: