S3 set up instructions

Support,

I tried following everything in doc noted below, but still not working.... just doing this to learn more about s3 and how to get the basics down

I can test the resource connection and that works, but the actual upload button does not.
https://docs.retool.com/docs/upload-photos-to-s3

Is the doc up to date?

Thanks,
Scott

Hi @ScottR! Any particular errors in Retool or in your browser console?

Nope. Just internal server error. I am on a free plan but I don’t see how that would be an impact

Note that my bucket on s3 is not public - not sure if that makes a difference...

Here is what I am seeing:



@Kabirdas - any idea on what's happening? I really need to know how to get this done....

Hey @ScottR, sorry for the late reply here. There's an issue we're currently working into where backend errors with S3 aren't being surfaced for users. I'll let you know here when there's an update on that. In the meantime we were able to find this error for your account:

SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

Can you double-check the Access key ID and Secret access key ID in your resource setup?

I did and I even regenerated one for the IAM user and made the old one inactive, but to no avail...

Looks like you're getting a different error now :sweat_smile:

AccessDenied: User: arn:aws:iam::318...135:user/retool-s3-uploader is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::318...135:user/retool-s3-uploader

Can you double-check the permissions on your IAM user?

But I set up the the CORS the same as in the tutorial?
What other settings or permissions do I need?

@Kabirdas - any news?

Hi @ScottR, does your IAM user have sts:AssumeRole permissions?

@Kabirdas where do I add that? In the Group permissions policy? Again, the documentation for this seems lacking so please, I ask for you to be more detailed. Thank you.

You might want to follow this stackoverflow post for debugging that error generally. There's an additional doc from AWS on troubleshooting IAM issues (also linked the post) and there's another AWS doc on changing permissions. This isn't something that I've gone through personally but it looks like there are a number of different avenues to address it. Let me know if those docs don't end up being helpful and I'll check back in with my team to see if I can get you a more specific answer.

1 Like

OK I did get this working by doing three things:

  1. Adding the following to the policy
    "Action": "sts:",
    "Resource": [
    "arn:aws:iam::accountnumber:user/
    ",
    "arn:aws:iam::accountnumber:role/*"
    ]

  2. attach the policy to the user

  3. Removed the information I had in the field Role to assume(ARN) in the retool resource as it was never made clear why that needs to be populated or not.

The documentation here does seem seriously lacking. I followed the steps in the guide three separate times, and it still will not work. Eventually that lead me to this post.

I get the following error

Error: User: arn:aws:iam::MYUSERNUMBER:user/retool-s3-uploader is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::MYUSERNUMBER:user/retool-s3-uploader

Trying to figure this out from developer documentation is like being given some wood and nails and told to build a house without a blueprint. So frustrating.

Hi @benbarry! Would you mind sharing a screenshot of the trust policy for the IAM user that's associated with your S3 resource? If you don't want to share it here you can also write directly to us. Getting IAM roles working is definitely one of the trickier aspects of setting up Retool and we'll do our best to figure it out with you.

@Kabirdas I got it working. The documentation just doesn't mention anything about setting up a Role.

This is the policy I used (of course with my account details where the placeholders are indicated):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketAcl",
                "s3:GetBucketCORS",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketNotification",
                "s3:GetBucketPolicy",
                "s3:GetBucketWebsite",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:GetObjectVersion",
                "s3:GetObjectVersionAcl",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectTagging",
                "s3:PutObjectVersionAcl",
                "s3:PutObjectVersionTagging"
            ],
            "Resource": [
                "arn:aws:s3:::BUCKET_NAME",
                "arn:aws:s3:::BUCKET_NAME/*",
                "arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME"
            ]
        }
    ]
}

That policy is attached to the IAM user I created with programatic access.

Then, this is the "Trust Relationship" for the Role I created:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::ACCOUNT_ID:user/IAM_USER_NAME",
                "Service": "s3.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
1 Like

The documentation is seriously lacking. Here's how I was able to finally set up S3 with retool:

  1. Create a new user in the IAM section let's assume retool-s3-user without assigning any permissions/roles.

  2. Create your S3 bucket and attach the required CORS permissions:

[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "PUT",
            "POST",
            "DELETE"
        ],
        "AllowedOrigins": [
            "https://*.retool.com"
        ],
        "ExposeHeaders": []
    },
    {
        "AllowedHeaders": [],
        "AllowedMethods": [
            "GET"
        ],
        "AllowedOrigins": [
            "*"
        ],
        "ExposeHeaders": []
    }
]
  1. Create a new role from IAM, let's say retool-s3-assume-role and the following JSON for Trust Relationship/Trust Policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com",
                "AWS": "arn:aws:iam::<AWS_ACCOUNT_ID>:user/retool-s3-uploader"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
  1. Create a new policy let's say retool-s3-policy and add the following JSON to create the policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetBucketAcl",
                "s3:GetBucketCORS",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketNotification",
                "s3:GetBucketPolicy",
                "s3:GetBucketWebsite",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:GetObjectVersion",
                "s3:GetObjectVersionAcl",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectTagging",
                "s3:PutObjectVersionAcl",
                "s3:PutObjectVersionTagging"
            ],
            "Resource": [
                "arn:aws:s3:::<BUCKET_NAME>",
                "arn:aws:s3:::<BUCKET_NAME>/*",
                "arn:aws:iam::<AWS_ACCOUNT_ID>:role/retool-s3-assume-role"
            ]
        }
    ]
}
  1. Finally, attach the created policy retool-s3-policy under the role retool-s3-assume-role
1 Like

Hey all!

We've added some updates to our S3 documentation. Thank you for pressing the issue and let me know if you have any further questions or feel something is still missing!

1 Like

i followed those instructions, it uploads files correctly, but, when i try to show the image from the url doesnt works :confused: