S3 set up instructions

But I set up the the CORS the same as in the tutorial?
What other settings or permissions do I need?

@Kabirdas - any news?

Hi @ScottR, does your IAM user have sts:AssumeRole permissions?

@Kabirdas where do I add that? In the Group permissions policy? Again, the documentation for this seems lacking so please, I ask for you to be more detailed. Thank you.

You might want to follow this stackoverflow post for debugging that error generally. There's an additional doc from AWS on troubleshooting IAM issues (also linked the post) and there's another AWS doc on changing permissions. This isn't something that I've gone through personally but it looks like there are a number of different avenues to address it. Let me know if those docs don't end up being helpful and I'll check back in with my team to see if I can get you a more specific answer.

OK I did get this working by doing three things:

1. Adding the following to the policy
   "Action": "sts:",
   "Resource": [
   "arn:aws:iam::accountnumber:user/",
   "arn:aws:iam::accountnumber:role/*"
   ]

2. attach the policy to the user

3. Removed the information I had in the field Role to assume(ARN) in the retool resource as it was never made clear why that needs to be populated or not.

Screen Shot 2022-02-02 at 9.49.22 AM2106×146 11.2 KB

The documentation here does seem seriously lacking. I followed the steps in the guide three separate times, and it still will not work. Eventually that lead me to this post.

I get the following error

Error: User: arn:aws:iam::MYUSERNUMBER:user/retool-s3-uploader is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::MYUSERNUMBER:user/retool-s3-uploader

Trying to figure this out from developer documentation is like being given some wood and nails and told to build a house without a blueprint. So frustrating.

Hi @benbarry! Would you mind sharing a screenshot of the trust policy for the IAM user that's associated with your S3 resource? If you don't want to share it here you can also write directly to us. Getting IAM roles working is definitely one of the trickier aspects of setting up Retool and we'll do our best to figure it out with you.

@Kabirdas I got it working. The documentation just doesn't mention anything about setting up a Role.

This is the policy I used (of course with my account details where the placeholders are indicated):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketAcl",
                "s3:GetBucketCORS",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketNotification",
                "s3:GetBucketPolicy",
                "s3:GetBucketWebsite",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:GetObjectVersion",
                "s3:GetObjectVersionAcl",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectTagging",
                "s3:PutObjectVersionAcl",
                "s3:PutObjectVersionTagging"
            ],
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME",
                "arn:aws:s3:::BUCKET_NAME/*",
                "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
            ]
        }
    ]
}

That policy is attached to the IAM user I created with programatic access.

Then, this is the "Trust Relationship" for the Role I created:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::ACCOUNT_ID:user/IAM_USER_NAME",
                "Service": "s3.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

The documentation is seriously lacking. Here's how I was able to finally set up S3 with retool:

1. Create a new user in the IAM section let's assume retool-s3-user without assigning any permissions/roles.

2. Create your S3 bucket and attach the required CORS permissions:

[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "PUT",
            "POST",
            "DELETE"
        ],
        "AllowedOrigins": [
            "https://*.retool.com"
        ],
        "ExposeHeaders": []
    },
    {
        "AllowedHeaders": [],
        "AllowedMethods": [
            "GET"
        ],
        "AllowedOrigins": [
            "*"
        ],
        "ExposeHeaders": []
    }
]

3. Create a new role from IAM, let's say retool-s3-assume-role and the following JSON for Trust Relationship/Trust Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com",
                "AWS": "arn:aws:iam::<AWS_ACCOUNT_ID>:user/retool-s3-uploader"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

4. Create a new policy let's say retool-s3-policy and add the following JSON to create the policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketAcl",
                "s3:GetBucketCORS",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketNotification",
                "s3:GetBucketPolicy",
                "s3:GetBucketWebsite",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:GetObjectVersion",
                "s3:GetObjectVersionAcl",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectTagging",
                "s3:PutObjectVersionAcl",
                "s3:PutObjectVersionTagging"
            ],
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME>",
                "arn:aws:s3:::<BUCKET_NAME>/*",
                "arn:aws:iam::<AWS_ACCOUNT_ID>:role/retool-s3-assume-role"
            ]
        }
    ]
}

5. Finally, attach the created policy retool-s3-policy under the role retool-s3-assume-role

Hey all!

We've added some updates to our S3 documentation. Thank you for pressing the issue and let me know if you have any further questions or feel something is still missing!

i followed those instructions, it uploads files correctly, but, when i try to show the image from the url doesnt works

Hey @agaitan026!

There's a good post here that walks through a couple of different methods for displaying S3 images.

How are you trying to display the image? And what happens when you try to display the image? Are there any errors in your browser console?

image1337×443 16.2 KB

getting this

im using the s3 component in my form

when i put

private in ACL it doesnt works, but if i put public it works, but my idea is not to have those images public to save bandwidth

I see, I would recommend trying option 3) Generating a signed URL from the linked post. The signed URL should work even if the image is private and you can generate one from Retool's S3 integration. Can you let me know if that works? Otherwise it might be worth trying option 1) as well.

at the end by using public-read it works good, but just asking if theres any way to avoid that as the images will not be public, just for my retool app. My app flow is like this:

1. create a product
2. upload image in that form
3. have a modal to view the image uploaded
4. a modal to edit product (still looking how create something to replace image too)

yes but,

1. i got a button like this

image1332×752 70.4 KB

when i upload image that works good, but when i view image how i can integrate that option #3?

image1354×465 58.9 KB

image960×608 42 KB

this is my view modal as image is not public, i cant see it, i like that flow because i can auto generate filenames of images, not sure if with option #3 i can do that

I use the option 3, and used two columns url signed and name of image (to generate signed url) works very good

Thank you

Awesome! Glad that works