-
Notifications
You must be signed in to change notification settings - Fork 403
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fetching Open workflow intermediate build assets over S3 gives a 403 error in a really simple setup #909
Comments
…stead of over HTTPS." This reverts commit 8e101b8. I filed an issue upstream over this: * nextstrain/ncov#909
Ok, I figured out the problem. I misunderstood this documentation to mean that authenticating to AWS was sufficient to be able to read from those buckets:
But that really means (and does technically say) that such authentication is necessary (not sufficient!) for the execution environment to be able to access the Since this is a money savings for your project, I think that you might likely want to document this a bit more explicitly so that people don't have to be AWS gurus. |
@sacundim Thanks for digging into this and relaying your findings here! I agree the documentation here could be clarified. What you ran into was a nuance of cross-account access in AWS. As briefly described in AWS docs about "public" access (emphasis mine):
The link describes in more detail why you needed to grant access to Something like the above should be mentioned in our docs. |
Relatedly, I wish it was easier in Snakemake's S3 remote support to disable request signing for these specific S3 requests, since anonymous access works fine and avoids the issue of setting up IAM for cross-account access. |
As @tsibley mentions in Pull Request #903, the Open workflow documentation recommends that users preferentially access the intermediate build assets over S3 instead of HTTPS. The documentation notes that this requires the S3 client to be authenticated with AWS:
What I observe with my own Open-based build in AWS Batch, however, is that my job is authenticated and is able to access my own private S3 buckets:
...but nevertheless gets an HTTP 403 error when the build tries to get the assets from S3:
Environment info:
Dockerfile
for my AWS Batch job, it just adds my files on top of thenextstrain/base:latest
imageThe documentation states that:
...and I don't see what I could have possibly done that breaks the Docker execution environment, so at the very least I think this would merit a documentation fix.
The text was updated successfully, but these errors were encountered: