Hello all,
Our team is looking to evaluate Dremio and currently are in the process of deploying it within our Kubernetes cluster (through EKS). We have successfully setup the cluster using the following helm chart:
However, when attempting to connect to an S3 data source, we are struggling to have the Dremio cluster authenticate successfully to S3. We have setup a new IAM role with the following policy attached:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutBucketTagging",
"s3:ListBucket",
"s3:GetObject",
"s3:GetBucketLocation",
"s3:DeleteObject",
"s3:DeleteBucket",
"s3:CreateBucket"
],
"Resource": [
"<s3 bucket names>"
]
}
]
}
Within the S3 setup in the Dremio GUI, we have selected “EC2 Metadata” and entered the following for the IAM role (using the fully qualified ARN): arn:aws:iam::xxxxxxxxxxx:role/<role_name>
However, when we try this, we get the following error in the console:
Caused by: java.util.concurrent.ExecutionException: com.google.common.util.concurrent.UncheckedExecutionException: java.lang.RuntimeException: Credential Verification failed.
We suspect the issue is simply that the Dremio cluster isn’t authorized to assume the IAM role that we have created. However, we are struggling to identify the “right” way to do this. Ideally, this would be something we can modify within the helm values.yaml (i.e. include the IAM role to impersonate similar to how EC2 deployments work), but we aren’t sure if this is supported in the Kubernetes deployment or if there is another recommended way.
Any guidance would be greatly appreciated.