Hi All,
I am trying to establish a connection from Appian to AWS S3 bucket. I have created a connected system with and without DNS endpoint, please refer to the attached screenshots. It throws an error with endpoint URL.
With the endpoint URL error is: "Failed to parse XML document with handler class com.amazonaws.services.s3.model.transform.XmlResponsesSaxParser$ListAllMyBucketsHandler".
When I am using these connected systems in an integration object then it behaves as following:
The AWS user used for connected system has the following policies:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:ListAllMyBuckets", "s3:ListBucket", "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::bucketARN", "arn:aws:s3:::bucketARN/*" ], "Condition": { "StringEquals": { "aws:sourceVpce": "vpce-01cxxxxxxx" } } } ] }
Bucket permissions are as follows:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::xxxxxx:user/arn" }, "Action": [ "s3:ListBucket", "s3:PutObject", "s3:GetObject" ], "Resource": [ "arn:aws:s3:::bucketARN", "arn:aws:s3:::bucketARN/*" ], "Condition": { "StringEquals": { "aws:SourceVpce": "vpce-01cxxxxxxx" } } } ] }
Can anyone help me with the points I am missing here or if anyone has ever faced similar kind of issues?
Discussion posts and replies are publicly visible
Hi Harsh Kumar Agarwal I am also connecting to S3 via Privatelink to upload and download files.Can you share which Connected System Object you are using and the connection process?I can't find the same Connected System Object in the Designer tab.Thanks
Hi Meme02 ,I am using 'AWS S3 Bucket Management' plugin.
Hi Harsh Kumar Agarwal
I tried to connect and got the problem as shown in the image below. Please check for me what problem i am having.(Integration object outcome without Endpoint URL in connected system: SUCCESS)
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Allow", "Principal": { "AWS": "My IAMuser arn " }, "Action": [ "s3:ListBucket", "s3:PutObject", "s3:GetObject" ], "Resource": [ "S3 arn", "s3 arn/*" ], "Condition": { "StringEquals": { "aws:SourceVpce": "vpce ID" } } } ] }
This is a timeout error which can occur majorly due to permission or connectivity issues. Few things you can try-
Check the bucket policy and the lambda role that you have the correct access configuration
If the application has a configurable timeout for S3 operations, consider increasing it to allow for potential network latency.
Review the S3 bucket policy to ensure it doesn't implicitly or explicitly deny access from your VPC endpoint attempting the connection.
Analyze VPC Flow Logs to monitor traffic to the S3 endpoint IPs and identify any blocked or dropped connections.
Harsha Sharma thanks. Let me check again. However I have a question (sorry I am inexperienced). To be able to connect successfully, is it necessary to contact Appian Support to install anything on their aws environment side or just create endpoint on my own aws environment side.
As per documentation it is mentioned to connect to Appian Support for setup. But that doesn't involve the plugin mentioned earlier. So if you are using plugin and issues comes then better to check in plugin's App Market page or community else connect with Appian Support to discuss and enable the setup from server end. Hope it clarifies
Hi Meme02 ,
I will suggest to create bucket policy with wildcard (*), given all actions and resource permission. Also, I can see userARN is missing in your bucket policy.Try with wildcard first to setup connectivity and then work in reverse order to limit the permissions step by step.