S3 permission issues with LookerBot

I’ve set up an IAM user in AWS that has all the requisite permissions and a bucket w/ the specific policy on the LookerBot documentation page (https://github.com/looker/lookerbot) – in fact, I’ve gone a bit overboard for testing purposes and given the IAM user full S3 access as well as both “s3:PutObject”, “s3:PutObjectAcl”.

However, using a custom command with LookerBot returns the vague error, “S3 Error: Access Denied.” This is strange because I’ve verified that the IAM user I created has access to the specific S3 bucket I created to upload files via the AWS CLI, and that the keys used by the AWS CLI are the same that I’ve configured in the .env file of my lookerbot deployment, and that there are no other conflicting environment variables floating around. (And the AWS region is correct, and on and on.)

Has anyone else encountered a similar issue? Any luck either overcoming the issue or at least wringing a more specific error message out of LookerBot?

I’ve managed to get around this for now by using a company account with pre-built permissions, although I’m still curious about the above since I don’t quite understand what the barrier is there.

Now I’ve got an issue where the Look images for custom commands. They are actually being uploaded to S3, are correct as per the command, and are publicly viewable from S3.

But when responding in Slack, the Looker app merely gives a Looker link without inserting the image into its response (example attached).

Example

Both of the above issues appear to be related to the bucket’s permission settings around access control lists. In addition to the s3 bucket permissions listed in the readme, I had to toggle off (set to “false”) the following settings for the s3 bucket that hosts the images:

Block new public ACLs and uploading public objects
Remove public access granted through public ACLs

After doing this, the Looker slack bot shows visualization images as expected.

2 Likes

Thanks for posting your solution for everyone! Good to know.