- Newest
- Most votes
- Most comments
Hello.
Are any error messages displayed?
If so, could you please share the error message?
Judging from the document below, I think you can connect without setting the bucket policy.
https://help.tableau.com/current/pro/desktop/en-us/examples_amazons3.htm
Also, if you enable CloudTrail trails, retrieve S3 data events, and check the access history from Tableau to S3, you may be able to find some information that will help you troubleshoot.
https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html
Based on the information provided, there are several potential reasons why you might be experiencing issues connecting Tableau to AWS S3 using the Tableau S3 connector, even with admin-level permissions. Here are some areas to investigate:
-
Bucket Policy: Even if you have admin-level IAM permissions, the S3 bucket might have a specific bucket policy that restricts access. Check the bucket policy to ensure it doesn't have any explicit deny statements that could override your IAM permissions.
-
S3 Block Public Access settings: While you mentioned that public access is blocked, it's worth double-checking the specific Block Public Access settings at the bucket, access point, and account levels. The "RestrictPublicBuckets" setting, in particular, can affect access even for authenticated users if not configured correctly.
-
VPC Endpoint Policies: If you're using VPC endpoints to access S3, ensure that the endpoint policies are not restricting access to your specific bucket or user.
-
Encryption Settings: If the S3 bucket is using server-side encryption (SSE) with AWS KMS keys (SSE-KMS), make sure your IAM user has the necessary permissions to use the KMS key associated with the bucket.
-
Object Ownership: Check the object ownership settings for the bucket. If set to "object owner enforced," ensure your IAM user has the necessary permissions like s3:GetBucketLocation, s3:ListBucket, and s3:GetObject.
-
Cross-Account Access: If the S3 bucket is in a different AWS account than your IAM user, make sure cross-account access is properly configured.
-
Specific Tableau S3 Connector Requirements: The Tableau S3 connector might require specific permissions or access patterns. Review Tableau's documentation for any S3-specific requirements that might not be covered by general admin access.
To troubleshoot:
- Review the bucket policy and ensure it allows your IAM user or role.
- Check S3 Block Public Access settings at all levels (bucket, access point, account).
- Verify VPC endpoint policies if applicable.
- Confirm encryption settings and KMS key permissions if using SSE-KMS.
- Review object ownership settings and ensure appropriate permissions.
- If cross-account access is involved, verify the correct setup.
- Consult Tableau documentation for any specific S3 connector requirements.
If after checking these areas you're still encountering issues, it would be advisable to engage AWS support for a more in-depth analysis of your specific configuration and permissions.
Sources
Troubleshoot access denied (403 Forbidden) errors in Amazon S3 - Amazon Simple Storage Service
Unable to access the S3 bucket after the IAM user was recreated | AWS re:Post
Permission issues to access s3 bucket shared by another account | AWS re:Post
Understanding Access Control in AWS S3 | AWS re:Post
Relevant content
- asked 2 years ago
- asked 2 years ago
- asked 3 years ago
- asked 4 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Yes the error states "Error occurred while fetching the bucket contents. Error: Forbidden"