s3.md

AWS Simple Storage Service (S3)

This document explains how to setup your system for authenticating to S3 using the credential helper.

IAM Setup

In order to access data from a bucket, you need an AWS user- or service account with read access to the objects you want to access (s3:GetObject). Refer to the AWS documentation for more information.

Authentication Methods

Option 1: Using the AWS CLI and Single Sign On (SSO) as a regular user (Recommended)

• Install the AWS CLI
• Follow the documentation for using aws configure sso and aws sso login to sign in
• Follow the browser prompts to authenticate

Option 2: Authenticate with other methods

AWS has a lot of ways to authenticate and the credential helper uses the official SDK. If you have more complex requirements, follow the AWS documentation to setup your method of choice. This may require you to set environment variables when using Bazel (or other tools).

Configuration

Add to your .bazelrc:

common --credential_helper=s3.amazonaws.com=%workspace%/tools/credential-helper
common --credential_helper=*.s3.amazonaws.com=%workspace%/tools/credential-helper

Troubleshooting

HTTP 401 or 403 error codes

When using the AWS CLI with SSO, check if you are still authenticated using aws sts get-caller-identity . Then ensure your user has access to the object you are trying to access using aws s3 cp s3://<BUCKET_NAME>/<OBJECT> ./<OUTPUT_FILENAME> and check if the credential helper is configured in .bazelrc.