Configuring S3 resource fails with 403 error

Hey team! I'm trying to configure a new S3 resource by following all of the steps outlined here.

However, when testing the connection in Retool, I receive a 403 error. It seems like AWS has changed their IAM interface, so I wonder if there are new security settings that are preventing S3 access given the steps listed in the docs?

Hi @yin thanks for reaching out!

Can you share what you have for the IAM permissions? Are you using Retool on cloud or on prem?

Also, as a heads up for you or anyone seeing this thread, I checked internally and we are investigating reports of Retool's s3 integration not connecting to buckets in GovCloud specifically

Hi @Tess. I've created a new user with the following IAM permissions:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetBucketAcl",
                "s3:GetBucketCORS",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketNotification",
                "s3:GetBucketPolicy",
                "s3:GetBucketWebsite",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:GetObjectVersion",
                "s3:GetObjectVersionAcl",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectTagging",
                "s3:PutObjectVersionAcl",
                "s3:PutObjectVersionTagging"
            ],
            "Resource": [
                "arn:aws:s3:::talar-retool-files",
                "arn:aws:s3:::talar-retool-files/*"
            ]
        }
    ]
}

I'm using Retool on cloud. The bucket in question (talar-retool-files) has no bucket policy, and "block public access" is off. The CORS policy is as follows:

[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "PUT",
            "POST",
            "DELETE"
        ],
        "AllowedOrigins": [
            "https://*.retool.com"
        ],
        "ExposeHeaders": []
    },
    {
        "AllowedHeaders": [],
        "AllowedMethods": [
            "GET"
        ],
        "AllowedOrigins": [
            "*"
        ],
        "ExposeHeaders": []
    }
]

I created an Access Key for the user mentioned above and copied/pasted the Access Key and Secret Access Key into my Retool Resource setup (for the S3 resource). However, when clicking "test connection", I received the following error:


Test connection failed (0.36s):Error: S3 bucket test connection failed (Error code: 403 Forbidden)
f {statusCode: 422, payload: Object}
statusCode: 422
payload: Object
statusCode: 422
error: "Unprocessable Entity"
message: "S3 bucket test connection failed (Error code: 403 Forbidden)"
data: null

Hi @yin

It looks like the user doesn't have the ListBucket permission (s3:Listbucket). I get the same error that you're seeing on my own resource when I remove this permission. Could you try adding it? :crossed_fingers: