fluent / fluent-plugin-s3

Amazon S3 input and output plugin for Fluentd
https://docs.fluentd.org/output/s3
314 stars 218 forks source link

Undocumented IAM permission: ListObjects #438

Closed ps-e closed 3 months ago

ps-e commented 3 months ago

Describe the bug

I'm getting following error:

2024-08-05 08:10:25 +0000 [error]: #0 unexpected error error_class=RuntimeError error="can't call S3 API. Please check your credentials or s3_region configuration. error = #<Aws::S3::Errors::AccessDenied: Access Denied>"

My IAM permission are configured as per docs. But after checking S3 access logs I can see a lot of failures for ListObjects

To Reproduce

Configure IAM permission with recommended permissions.

ClusterOutput config:

apiVersion: logging.banzaicloud.io/v1beta1
kind: ClusterOutput
metadata:
  name: s3-output
spec:
  s3:
    buffer:
      timekey: 10m
      timekey_use_utc: true
      timekey_wait: 30s
    check_bucket: "false"
    check_object: "false"
    path: IngressLogs/${tag}/%Y/%m/%d/
    s3_bucket: YOUR_BUCKET
    s3_region: us-east-2

Expected behavior

IAM permissions are documented properly.

Your Environment

- Fluentd version: v1.14.6-alpine-5
- TD Agent version:
- fluent-plugin-s3 version:
- aws-sdk-s3 version:
- aws-sdk-sqs version:
- Operating system:
- Kernel version:

Your Configuration

apiVersion: logging.banzaicloud.io/v1beta1
kind: ClusterOutput
metadata:
  name: s3-output
spec:
  s3:
    buffer:
      timekey: 10m
      timekey_use_utc: true
      timekey_wait: 30s
    check_bucket: "false"
    check_object: "false"
    path: IngressLogs/${tag}/%Y/%m/%d/
    s3_bucket: YOUR_BUCKET
    s3_region: us-east-2

Your Error Log

2024-08-05 08:10:25 +0000 [error]: #0 unexpected error error_class=RuntimeError error="can't call S3 API. Please check your credentials or s3_region configuration. error = #<Aws::S3::Errors::AccessDenied: Access Denied>"

Additional context

No response

ps-e commented 3 months ago

Nvm, ListBucket was missing.