I’m using the latest dremio/dremio-oss docker image, and I’m trying to pull in data from a private S3 bucket. I’m able to list the buckets in the account, and I’m able to list the objects in those buckets. When I go to “Add Format”, I receive a generic error in the front end (Failure while attempting to retrieve metadata information for table…). The logs show that I’m getting permission denied due to differing request signatures.
dremio_1 | Caused by: com.amazonaws.services.s3.model.AmazonS3Exception: The request signature we calculated does not match the signature you provided. Check your key and signing method. (Service: Amazon S3; Status Code: 403; Error Code: SignatureDoesNotMatch; Request ID: 340C80ACA10A7643)
Thoughts on how to move forward?
Hi @kirkhansen
Are you using EC2 roles or actually entering an access key/secret key on the S3 source?
Thanks
@balaji.ramaswamy
Sorry, should have included that. I am entering the access key/secret key pair on the S3 source. The keys are able to download the file using the aws cli.
This particular user has Administrator Access policy attached:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
Is that IAM policy or individual bucket policy? Want to make sure both are set.
That is the IAM policy for this user. The bucket policy is empty.
For testing purposes can you try to add a simliar bucket policy as below
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Principal”: “",
“Action”: [
“s3:ListBucket”,
“s3:GetBucketLocation”
],
“Resource”: “arn:aws:s3:::bucket_name”
},
{
“Sid”: “MakeItPublic”,
“Effect”: “Allow”,
“Principal”: "”,
“Action”: “s3:GetObject”,
“Resource”: “arn:aws:s3:::bucket_name/*”
}
]
}
Tried it with
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<my-user>"
]
},
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bucket",
"arn:aws:s3:::bucket/*"
]
}
Same error.
For what it’s worth, this key pair works with boto3, and aws cli just fine.
I just tried this again this morning while working off of the company network, and it appears to work. I’ll confirm that it was the company network’s fault (or if something was fixed since I’ve last touched this) next week.
The problem was with our company network. Feel free to close this, or otherwise mark as a non-issue. Thanks!
1 Like