Error fetching objects stored in private S3 bucket

kirkhansen · October 18, 2018, 2:40pm

I’m using the latest dremio/dremio-oss docker image, and I’m trying to pull in data from a private S3 bucket. I’m able to list the buckets in the account, and I’m able to list the objects in those buckets. When I go to “Add Format”, I receive a generic error in the front end (Failure while attempting to retrieve metadata information for table…). The logs show that I’m getting permission denied due to differing request signatures.

dremio_1  | Caused by: com.amazonaws.services.s3.model.AmazonS3Exception: The request signature we calculated does not match the signature you provided. Check your key and signing method. (Service: Amazon S3; Status Code: 403; Error Code: SignatureDoesNotMatch; Request ID: 340C80ACA10A7643)

Thoughts on how to move forward?

balaji.ramaswamy · October 18, 2018, 4:33pm

Hi @kirkhansen

Are you using EC2 roles or actually entering an access key/secret key on the S3 source?

Thanks
@balaji.ramaswamy

kirkhansen · October 18, 2018, 4:47pm

Sorry, should have included that. I am entering the access key/secret key pair on the S3 source. The keys are able to download the file using the aws cli.

anthony · October 19, 2018, 1:15am

Can you verify proper policy permissions? https://docs.dremio.com/data-sources/s3.html

kirkhansen · October 19, 2018, 8:23pm

This particular user has Administrator Access policy attached:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

anthony · October 22, 2018, 1:15pm

Is that IAM policy or individual bucket policy? Want to make sure both are set.

kirkhansen · October 22, 2018, 1:35pm

That is the IAM policy for this user. The bucket policy is empty.

anthony · October 22, 2018, 1:54pm

For testing purposes can you try to add a simliar bucket policy as below

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: “",
“Action”: [
“s3:ListBucket”,
“s3:GetBucketLocation”
],
“Resource”: “arn:aws:s3:::bucket_name”
},
{
“Sid”: “MakeItPublic”,
“Effect”: “Allow”,
“Principal”: "”,
“Action”: “s3:GetObject”,
“Resource”: “arn:aws:s3:::bucket_name/*”
}
]
}

kirkhansen · October 22, 2018, 1:58pm

Tried it with

{
        "Effect": "Allow",
        "Principal": {
            "AWS": [
                "arn:aws:iam::<my-user>"
            ]
        },
        "Action": [
            "s3:*"
        ],
        "Resource": [
            "arn:aws:s3:::bucket",
            "arn:aws:s3:::bucket/*"
        ]
    }

Same error.

For what it’s worth, this key pair works with boto3, and aws cli just fine.

kirkhansen · November 9, 2018, 3:58pm

I just tried this again this morning while working off of the company network, and it appears to work. I’ll confirm that it was the company network’s fault (or if something was fixed since I’ve last touched this) next week.

kirkhansen · November 15, 2018, 7:35pm

The problem was with our company network. Feel free to close this, or otherwise mark as a non-issue. Thanks!