Closed johnsmclay closed 1 month ago
Just double checking: this is affecting the S3 source connector?
S3 destination and Databricks destination. Maybe the S3 source. My guess is it's some sort of permission issue because I set it up on a new AWS account last night and gave it the master creds and it worked. So, maybe just need to add clear guidance as to what permissions are needed? I mean, anyone who has enough data that they'd want to use this tool should be smart enough to know not to just give it free reign on their AWS account 😅
On Fri, Oct 21, 2022, 10:00 AM Nataly Merezhuk @.***> wrote:
Just double checking: this is affecting the S3 source connector?
— Reply to this email directly, view it on GitHub https://github.com/airbytehq/airbyte/issues/18277#issuecomment-1287085664, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADDHUEAZ6WB7VVSPT3I6Y3WEKV2FANCNFSM6AAAAAARKUCCLU . You are receiving this because you authored the thread.Message ID: @.***>
I'm seeing the same issue on Airbyte v0.40.10 on Kubernetes. I can see that the checker pod does not have my service account, nor I see that its passing the AWS credentials (or reference to the secret with the credentials) in the env vars.
Also if I leave the key id and access key empty it throws an error like they are mandatory although they are Optional (The authorization header is malformed; a non-empty Access Key (AKID) must be provided in the credential.
).
I would expect it to not send an AKID if its empty so it just attempts to log in through the configured credentials in the env or attached role.
@johnsmclay @ext-gvillafane this has been brought to the attention of the engineering team!
Hello @natalyjazzviolin ! Any news of engineering team about it ?
@luancaarvalho Not yet! The on call engineer is aware of the issue though!
Thank you
@ext-gvillafane Airbyte connectors currently do not support reading IAM credentials from environment
Any update on this issue?
Closing - this destination has been updated significantly since this issue was posted. We rely on Unity Catalog now
Environment
Current Behavior
When doing a new destination on Databricks, it requires S3 as a staging area. I created a bucket, an account, IAM policies for that user, and API creds. When I try to save the destination it runs it's checks and says:
So, S3 access denied. Not sure what it's trying to do, so I check out where it's happening:
io.airbyte.integrations.destination.s3.S3StorageOperations.createBucketObjectIfNotExists(S3StorageOperations.java:103) ~[io.airbyte.airbyte-integrations.connectors-destination-s3-0.39.41-alpha.jar:?]
That line is where it tries to use the AWS S3 java library to put the file in question (I guess a test file?) into the location.Using those credentials, on AWS CLI I can push a file to that location successfully:
aws s3 cp ~/Downloads/Result_20.csv s3://my-cool-bucket-name/non-managed-tables/airbyte/ --profile test
I also successfully set up plain plain S3 sources and destinations with those same credentials and the same location. The S3 source finds no files to import, the S3 destination gives the exact same error about S3 saying 403 AccessDenied.
so I know:
My best guess is that Airbyte is either:
The IAM policy:
Info about the bucket - Versioning is off, SSE is enabled by default, but it isn't required, so you won't get rejected if you aren't doing SSE. Public acccess is blocked, object owner is the writer, the bucket policy is the automatic one where root can do things, anyone else needs IAM authorization. No lifecycle, replication, or access points.
Expected Behavior
It should complete the check and continue on. Or at least tell me what rights it needs that it doesn't have. Even the documentation on the right in the databricks connector just talks about generic IAM stuff and says you should be using roles NOT an access key and ID (lol). On the S3 one, it points to this doc which is where I got the idea to add "s3:*Object", but that didn't help.
Logs
Docker Logs:
Results from "Download server Logs" (doesn't seem too useful, but who knows:
printenv on the server:
Steps to Reproduce
Are you willing to submit a PR?
Yeah, if someone can point me to what is going wrong, I can give it a go.