Unable to Connect to S3 with Dremio 3.2

I’m getting an error while trying to open a folder on an S3 bucket. I am able to browse the xxx-yyyyyy-us-e1-nprod-project bucket but when I attempt to open the Dremio_POC folder I get the following error:

java.nio.file.AccessDeniedException: s3a://xxx-yyyyyy-us-e1-nprod-project/Dremio_poc: getFileStatus on s3a://xxx-yyyyyy-us-e1-nprod-project/Dremio_poc: com.amazonaws.services.s3.model.AmazonS3Exception: Forbidden (Service: Amazon S3; Status Code: 403; Error Code: 403 Forbidden; Request ID: B4F131866A825BA2), S3 Extended Request ID: 2pvLpdSOvj7cgt9Yk5lI2KsbBYcEf3yYSL2KYwL+fgR6HeONADbdBiez+/qQepDobzjWjlZTY+Y=

Other systems/applications with the same credentials are having no issues .

For Dremio we’re using the following AWS IAM policy:

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: [
“s3:ListAllMyBuckets”,
“s3:GetBucketLocation”
],
“Resource”: “arn:aws:s3:::"
},
{
“Effect”: “Allow”,
“Action”: [
“s3:ListBucket”
],
“Resource”: [
“arn:aws:s3:::xxx-yyyyyy-eu-w1-nprod-scratch”,
“arn:aws:s3:::xxx-yyyyyy-us-e1-nprod-project”
],
“Condition”: {
“StringEquals”: {
“s3:prefix”: [
“”,
“Dremio/”,
“Dremio_poc/”
],
“s3:delimiter”: [
“/”
]
}
}
},
{
“Effect”: “Allow”,
“Action”: [
“s3:ListBucket”
],
“Resource”: [
“arn:aws:s3:::xxx-yyyyyy-eu-w1-nprod-scratch”,
“arn:aws:s3:::xxx-yyyyyy-us-e1-nprod-project”
],
“Condition”: {
“StringLike”: {
“s3:prefix”: [
"Dremio/
”,
“Dremio_poc/"
]
}
}
},
{
“Effect”: “Allow”,
“Action”: [
“s3:PutObject”,
“s3:GetObject”,
“s3:DeleteObject”,
“s3:GetObjectAcl”
],
“Resource”: [
"arn:aws:s3:::xxx-yyyyyy-eu-w1-nprod-scratch/Dremio/
”,
“arn:aws:s3:::xxx-yyyyyy-us-e1-nprod-project/Dremio_poc/*”
]
}
]
}

Any assistance you could provide would be most helpful.

This is because your policy is badly formatted and AWS probably didn’t warn you with any error message.

You can also see this is the old version of the JSON policy, because it lacks the "principal": variable on the statement.

I highly recommend using the AWS policy generator to format it, as it is updated and prone to no error.
https://docs.dremio.com/deployment/distributed-storage.html#amazon-s3

Friendly Advice: Don’t just copy and paste configuration files of any kind, specially IAM policies. Some critical thinking is always good to have in these moments. Try to really understand what you are doing.

In case you want to write your own policies for dremio, use these links as source:

To check if the problem is with Dremio or with the policy, give Dremio the IAM credentials of the bucket owner right after you add “Amazon S3” as a Data Source. Since he has almost complete control over the bucket, there shouldn’t be any permission error.

But this last one is not recommended in a production enviroment, for reasons of security, organization and control over your billing…
It is a great workaround though.

If what I said didn’t work, please reply and I will try to help you.