[s3_repository] path is not accessible on master node

My EC2 elasticsearch 2.4.6 cluster (hosted on amazon east data center) is having issues with the aws-cloud 2.4.6 plugin, I have configured my elasticsearch.yml file as instructed by configuration .
cloud:
aws:
access_key: XXX
secret_key: XXX
The S3 bucket is set up to have s3Full access.
I did a testing before my elasticsearch cluster upgrade, which was 1.7.6 version using aws-cloud plugin from this documentation -https://github.com/elastic/elasticsearch-cloud-aws. The snapshot and restore process was working perfectly fine until recently I upgraded my ES version to 2.4.6.

Here's the curl script I usually use to create s3_repository. PS, I can manually upload files to the s3 bucket using aws cli.

{ ~ } » curl -XPUT 'http://localhost:10557/_snapshot/s3_repository?pretty' -H 'Content-Type: application/json' -d' ~
 {
 "type": "s3",
 "settings": {
 "bucket": "my-bucket",
 "region": "us-east",
 "access_key": "XXX",
\"secret_key": "XXX"
 }
 } '

{
"error" : {
"root_cause" : [ {
"type" : "amazon_s3_exception",
"reason" : "amazon_s3_exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 3906E3E1E996060C)"
} ],
"type" : "repository_verification_exception",
"reason" : "[s3_repository] path is not accessible on master node",
"caused_by" : {
"type" : "i_o_exception",
"reason" : "i_o_exception: com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 3906E3E1E996060C), S3 Extended Request ID: Q/OWbf2aljoROoeLB48dfZ8YqBKzKw5JaQvpxrHwXXd4WT4qUp5nlHs8fCWKV19dIrCPXtW6Clo=",
"caused_by" : {
"type" : "amazon_s3_exception",
"reason" : "amazon_s3_exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 3906E3E1E996060C)"
}
}
},
"status" : 500
}

And in my s3 bucket, there is a test folder created but not the s3_repository.

Is anyone else having similar issues ?

My S3 policy was configured by a guy from aws admin team.

{
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation",
"s3:ListBucketMultipartUploads",
"s3:ListBucketVersions"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKET-NAME"
]
},
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::BUCKET-NAME",
"arn:aws:s3:::BUCKET-NAME/*"
]
}
],
"Version": "2012-10-17"
}

I have solved this issue myself, the issue is with the way policy is set up.

{
  "Statement": [
    {
      "Action": [
        "s3:ListBucket",
        "s3:GetBucketLocation",
        "s3:ListBucketMultipartUploads",
        "s3:ListBucketVersions"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::BUCKET-NAME"
      ]
    },
    {
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:AbortMultipartUpload",
        "s3:ListMultipartUploadParts"
      ],
      "Effect": "Allow",
      "Resource": [
         "arn:aws:s3:::BUCKET-NAME/*"
      ]
    }
  ],
  "Version": "2012-10-17"
}

Previously, our aws admin removed the "s3:DeleteObject" from the action list.

2 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.