Stream: troubleshooting

Topic: βœ” 403 Forbiddens from Amazon S3

view this post on Zulip Don Sizemore (Jul 18 2024 at 20:07):

I have a test server running Dataverse 5.14, talking to Amazon S3. I can, using the credentials specified in jvm-options and in ~payara/.aws/credentials, upload and download test files using the AWS CLI. I have disabled upload-direct and download-direct in domain.xml. I have quadruple-checked my S3-related jvm-options. No matter what I do, Amazon complains, returning a 403 Forbidden when Dataverse attempts to retrieve the bucket ACL, then another 403 Forbidden when Dataverse attempts to upload a file. I am allowing GetBucketACL in the policy attached to the IAM role. Any ideas or suggestions would be most welcome. Thank you, Don

view this post on Zulip Oliver Bertuch (Jul 18 2024 at 23:29):

Which version? I remember Jim fixed some auth ordering in some release, that might cause trouble. Don't remember the deets though :melting_face:

view this post on Zulip Philip Durbin πŸš€ (Jul 18 2024 at 23:35):

Maybe we can do a quick screen share sometime to quadruple check the settings. :grinning:

view this post on Zulip Oliver Bertuch (Jul 18 2024 at 23:43):

Sry it's late here. 5.14... :sweat_smile:

view this post on Zulip Oliver Bertuch (Jul 18 2024 at 23:46):

Yeah the fix was done in 6.1, see #10003 / #10004

view this post on Zulip Don Sizemore (Jul 19 2024 at 00:40):

Oliver Bertuch said:

Yeah the fix was done in 6.1, see #10003 / #10004

I was looking at the issue/PR, but we aren’t using RBAC, just keys. The ordering issue was reported in 5.14 when RBAC support came back on the scene, and I have 5.12.1 and 5.13 servers which seem to behave just fine.

view this post on Zulip Don Sizemore (Jul 19 2024 at 11:52):

@Philip Durbin I would love a screen share, though at some point today I have a meeting with Jamie to talk about LetsEncrypt within Dataverse-Ansible, and also her 403 Forbiddens. Note that she was running 5.14 with no S3 woes, so I'm curious how her S3 creds are defined.

view this post on Zulip Philip Durbin πŸš€ (Jul 19 2024 at 13:15):

Well, she's on the west coast. If you're available now, I'm around. :grinning:

view this post on Zulip Don Sizemore (Jul 19 2024 at 13:38):

@Philip Durbin I have an 0945 with Sonia, then I may pester you?

view this post on Zulip Philip Durbin πŸš€ (Jul 19 2024 at 13:59):

sure!

view this post on Zulip Don Sizemore (Jul 19 2024 at 18:52):

Found it. A forgotten experiment from 3 years ago was lurking in our AWS configuration. Good to know about the RBAC preference bug between 5.14-6.1, though.

view this post on Zulip Notification Bot (Jul 19 2024 at 18:52):

Don Sizemore has marked this topic as resolved.

Last updated: Oct 30 2025 at 06:21 UTC