brskq opened a new issue #10516: URL: https://github.com/apache/druid/issues/10516
Druid ingestion tasks fail when applying the [required S3 permissions stated in the documentation](https://druid.apache.org/docs/latest/development/extensions-core/s3.html#s3-permissions-settings) which says: > ### S3 permissions settings > > s3:GetObject and s3:PutObject are basically required for pushing/loading segments to/from S3. If druid.storage.disableAcl is set to false, then s3:GetBucketAcl and s3:PutObjectAcl are additionally required to set ACL for objects. I had also set the AWS region in the jvm.config files. I had to get in touch with the AWS support in order to figure out what was wrong and they came back to me with the following info: > It looks like the Druid is indeed making requests for checking ACL as well even if it not mentioned in the Druid documentation doc since the request failed at operation "REST.GET.ACL". > > So the user arn:aws:iam::123456789101:user/my-bucket-user will have to have the below policy added to it as minimum permissions required. > ```json > > { > "Version": "2012-10-17", > "Statement": [ > { > "Sid": "VisualEditor0", > "Effect": "Allow", > "Action": [ > "s3:PutObject", > "s3:GetObjectAcl", > "s3:GetObject", > "s3:GetObjectVersionAcl", > "s3:ListBucket", > "s3:DeleteObject", > "s3:GetBucketAcl", > "s3:GetBucketLocation", > "s3:PutObjectAcl" > ], > "Resource": [ > "arn:aws:s3:::my-s3-bucket", > "arn:aws:s3:::my-s3-bucket/*" > ] > }, > { > "Sid": "VisualEditor1", > "Effect": "Allow", > "Action": "s3:ListAllMyBuckets", > "Resource": "*" > } > ] > } > ``` ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
