Hi All,
I am trying to establish a connection from Appian to AWS S3 bucket. I have created a connected system with and without DNS endpoint, please refer to the attached screenshots. It throws an error with endpoint URL.
With the endpoint URL error is: "Failed to parse XML document with handler class com.amazonaws.services.s3.model.transform.XmlResponsesSaxParser$ListAllMyBucketsHandler".
When I am using these connected systems in an integration object then it behaves as following:
The AWS user used for connected system has the following policies:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::bucketARN", "arn:aws:s3:::bucketARN/*" ], "Condition": { "StringEquals": { "aws:sourceVpce": "vpce-01cxxxxxxx" } } } ] }
Bucket permissions are as follows:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::xxxxxx:user/arn" }, "Action": [ "s3:ListBucket", "s3:PutObject", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::bucketARN", "arn:aws:s3:::bucketARN/*" ], "Condition": { "StringEquals": { "aws:SourceVpce": "vpce-01cxxxxxxx" } } } ] }
Can anyone help me with the points I am missing here or if anyone has ever faced similar kind of issues?
Discussion posts and replies are publicly visible
Hi Harsh Kumar Agarwal I am also connecting to S3 via Privatelink to upload and download files.Can you share which Connected System Object you are using and the connection process?I can't find the same Connected System Object in the Designer tab.Thanks
Hi Meme02 ,I am using 'AWS S3 Bucket Management' plugin.
Hi Harsh Kumar Agarwal
I tried to connect and got the problem as shown in the image below. Please check for me what problem i am having.(Integration object outcome without Endpoint URL in connected system: SUCCESS)
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Principal": { "AWS": "My IAMuser arn " }, "Action": [ "s3:ListBucket", "s3:PutObject", "s3:GetObject" ], "Resource": [ "S3 arn", "s3 arn/*" ], "Condition": { "StringEquals": { "aws:SourceVpce": "vpce ID" } } } ] }
This is a timeout error which can occur majorly due to permission or connectivity issues. Few things you can try-
Check the bucket policy and the lambda role that you have the correct access configuration
If the application has a configurable timeout for S3 operations, consider increasing it to allow for potential network latency.
Review the S3 bucket policy to ensure it doesn't implicitly or explicitly deny access from your VPC endpoint attempting the connection.
Analyze VPC Flow Logs to monitor traffic to the S3 endpoint IPs and identify any blocked or dropped connections.
Harsha Sharma thanks. Let me check again. However I have a question (sorry I am inexperienced). To be able to connect successfully, is it necessary to contact Appian Support to install anything on their aws environment side or just create endpoint on my own aws environment side.
As per documentation it is mentioned to connect to Appian Support for setup. But that doesn't involve the plugin mentioned earlier. So if you are using plugin and issues comes then better to check in plugin's App Market page or community else connect with Appian Support to discuss and enable the setup from server end. Hope it clarifies
Hi Meme02 ,
I will suggest to create bucket policy with wildcard (*), given all actions and resource permission. Also, I can see userARN is missing in your bucket policy.Try with wildcard first to setup connectivity and then work in reverse order to limit the permissions step by step.
Harsh Kumar Agarwal Thanks. Do you mean my bucket Policy should be like below?
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:user/myIAMUser" }, "Action": "s3:*", "Resource": [ "arn:aws:s3:::my-s3-bucket-name", "arn:aws:s3:::my-s3-bucket-name/*" ], "Condition": { "StringEquals": { "aws:SourceVpce": "vpce-xxxxxxxx" } } } ] }
The error in this case is Http Connect Time Out. Is it possible that I have set the endpoint information wrong?
Hi Meme02 ,You can try with following and make sure the user has permission to listAllBuckets
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Deny", "Principal": { "AWS": "userARN" }, "Action": [ "s3:*" ], "Resource": [ "bucketARN", "bucketARN/*" ], "Condition": { "StringNotEquals": { "aws:SourceVpce": "vpceId" } } } ] }
Thanks.
I will try to follow your instructions.
However, may I ask, what connections have you made to Appian before using this plugin?They require Endpoint Service information to connect but this time we connect directly to S3 Endpoint so I thought it was not necessary to set up Endpoint Service. In preparation before creating Support Case, can you tell me what information will need to be provided to Appian?
Harsh Kumar Agarwal said:You can try with following and make sure the user has permission to listAllBucketsFullscreen
You can try with following and make sure the user has permission to listAllBuckets
Harsh Kumar Agarwal it doesn't work. The error still says Connect time out.
Can you give me more information about your appian and AWS settings. The appian support said they need vpc endpoint service information to set up privatelink, then just enter the private DNS information of s3 vpc endpoint into connected system and it will work. However I get this error.
vpce endpoint should be provided by Appian support to you, as this is Appian AWS vpce, not the target AWS S3 environment vpce. I have used shared the bucket policy already which I have used for basic private connection.
Harsh Kumar Agarwal oops! They said I have to create vpc endpoint service and I am confused why it is necessary. Maybe they are confused here. Can I confirm again like this? That means I will just need to create a support case, and Appian Support will create vpce to connect to S3 in their environment. And what I need to do is get vpce dns information from them along with my Access Key Id and Secret Access Key information and then set up connection to S3 right.