S3 authentication by AIM role

Hi,
From my AWS EC2 i have an AIM role which provides s3 access on machine level.
This works great from local AWS CLI.

The source gets added, but when trying to access i get:
[qtp1274672203-137] ERROR c.d.d.server.GenericExceptionMapper - Unexpected exception when processing GET http://localhost:9047/apiv2/source//folder/?nocache=1570177566465 : com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID:; S3 Extended Request ID: )

Config: No Auth, Public bucket added:

Adding keys is not an option.

I had tried adding the IAM Role to “IAM Role to Assume” - alas as the machine itself has access so i’m not sure why we’d need it
(Btw, you need to put the ARN here, but this is only from the logs, gj on the documentation and the help text :scream: )

This generates is not authorised to perform: sts:AssumeRole - Again, why not use the the default mechanism?

How to solve this?
Thanks
Dani

@DaniOT

This is an exception coming from the S3 and below are possible reasons. Any chance you can go through them and see if something was missed?

https://aws.amazon.com/premiumsupport/knowledge-center/s3-troubleshoot-403/

@balaji.ramaswamy
Thanks!

The issue is Dremio specific, the host has full access to s3, aws cli works perfectly using the IAM role.

I had double checked with the document you suggested.

Could you please tag a dremio developer on this to shed some details how this is implemented?

@DaniOT

Want to check the full stack and where it is failing. Can you please try it again and send server.log?

Thanks
@balaji.ramaswamy

here are some IAM policies i’ve tried for Dremio to read to one of our bucket via EC2 Metadata. They may overcompensated, but works.

“s3:GetBucketPublicAccessBlock”,
“s3:GetObjectAcl”,
“s3:GetObject”,
“s3:GetObjectTorrent”,
“s3:GetObjectTagging”,
“s3:ListBucket”,
“s3:GetBucketAcl”,
“s3:GetBucketLocation”,
“s3:GetBucketPolicy”