S3 authentication by AIM role

From my AWS EC2 i have an AIM role which provides s3 access on machine level.
This works great from local AWS CLI.

The source gets added, but when trying to access i get:
[qtp1274672203-137] ERROR c.d.d.server.GenericExceptionMapper - Unexpected exception when processing GET http://localhost:9047/apiv2/source//folder/?nocache=1570177566465 : com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID:; S3 Extended Request ID: )

Config: No Auth, Public bucket added:

Adding keys is not an option.

I had tried adding the IAM Role to “IAM Role to Assume” - alas as the machine itself has access so i’m not sure why we’d need it
(Btw, you need to put the ARN here, but this is only from the logs, gj on the documentation and the help text :scream: )

This generates is not authorised to perform: sts:AssumeRole - Again, why not use the the default mechanism?

How to solve this?


This is an exception coming from the S3 and below are possible reasons. Any chance you can go through them and see if something was missed?



The issue is Dremio specific, the host has full access to s3, aws cli works perfectly using the IAM role.

I had double checked with the document you suggested.

Could you please tag a dremio developer on this to shed some details how this is implemented?


Want to check the full stack and where it is failing. Can you please try it again and send server.log?


here are some IAM policies i’ve tried for Dremio to read to one of our bucket via EC2 Metadata. They may overcompensated, but works.


I just got the same error today with latest release 4.6.1
User: arn:aws:sts::xxx:assumed-role/xxx/xxxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxx:role/dse-edge-dev (Service: Sts, Status Code: 403, Request ID: xxxx)

This the “AssumeRole” required. The documentation did not specify this role.

This is Dremio specific. This row has no problem access to the S3 bucket, and we have been using it for several years from both CLI and others.

The action “sts:AssumeRole” means that the service that is trying to use the role is not authorized to use it. It’s a configuration on IAM that you need to enable trusted services to use the role, probably enable EC2 to assume the role you created.