Error fetching objects stored in private S3 bucket

kirkhansen · October 18, 2018, 2:40pm

I’m using the latest dremio/dremio-oss docker image, and I’m trying to pull in data from a private S3 bucket. I’m able to list the buckets in the account, and I’m able to list the objects in those buckets. When I go to “Add Format”, I receive a generic error in the front end (Failure while attempting to retrieve metadata information for table…). The logs show that I’m getting permission denied due to differing request signatures.

dremio_1  | Caused by: com.amazonaws.services.s3.model.AmazonS3Exception: The request signature we calculated does not match the signature you provided. Check your key and signing method. (Service: Amazon S3; Status Code: 403; Error Code: SignatureDoesNotMatch; Request ID: 340C80ACA10A7643)

Thoughts on how to move forward?

balaji.ramaswamy · October 18, 2018, 4:33pm

Hi @kirkhansen

Are you using EC2 roles or actually entering an access key/secret key on the S3 source?

Thanks
@balaji.ramaswamy

kirkhansen · October 18, 2018, 4:47pm

Sorry, should have included that. I am entering the access key/secret key pair on the S3 source. The keys are able to download the file using the aws cli.

anthony · October 19, 2018, 1:15am

Can you verify proper policy permissions? https://docs.dremio.com/data-sources/s3.html

kirkhansen · October 19, 2018, 8:23pm

This particular user has Administrator Access policy attached:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

anthony · October 22, 2018, 1:15pm

Is that IAM policy or individual bucket policy? Want to make sure both are set.

kirkhansen · October 22, 2018, 1:35pm

That is the IAM policy for this user. The bucket policy is empty.

anthony · October 22, 2018, 1:54pm

For testing purposes can you try to add a simliar bucket policy as below

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: “",
“Action”: [
“s3:ListBucket”,
“s3:GetBucketLocation”
],
“Resource”: “arn:aws:s3:::bucket_name”
},
{
“Sid”: “MakeItPublic”,
“Effect”: “Allow”,
“Principal”: "”,
“Action”: “s3:GetObject”,
“Resource”: “arn:aws:s3:::bucket_name/*”
}
]
}

kirkhansen · October 22, 2018, 1:58pm

Tried it with

{
        "Effect": "Allow",
        "Principal": {
            "AWS": [
                "arn:aws:iam::<my-user>"
            ]
        },
        "Action": [
            "s3:*"
        ],
        "Resource": [
            "arn:aws:s3:::bucket",
            "arn:aws:s3:::bucket/*"
        ]
    }

Same error.

For what it’s worth, this key pair works with boto3, and aws cli just fine.

kirkhansen · November 9, 2018, 3:58pm

I just tried this again this morning while working off of the company network, and it appears to work. I’ll confirm that it was the company network’s fault (or if something was fixed since I’ve last touched this) next week.

kirkhansen · November 15, 2018, 7:35pm

The problem was with our company network. Feel free to close this, or otherwise mark as a non-issue. Thanks!

Topic		Replies	Views
Error accessing S3 (can see bucket list but not objects)	4	4236	June 11, 2018
Cannot access public S3 bucket	5	5765	May 1, 2018
Adding S3 source with IAM role	2	1617	August 5, 2020
S3 Resources available, but can't preview or query Dremio Cloud	4	931	December 11, 2022
Unable to Connect to S3 with Dremio 3.2	1	2061	May 24, 2019

Error fetching objects stored in private S3 bucket

Related Topics