https://lakefs.io/ logo
Join Slack
Powered by
Anyone knows how to set config.yaml for aws dynamo...
# help
u
Anyone knows how to set config.yaml for aws dynamodb? I used the example on lakefs for deploy on aws, I got 
ValidationException: The provided key element does not match the schema
u
Hey Ronnie, I'll try to help with this. Are you getting this error from lakeFS? Can you share the logs (without truncation)?
u
Sorry, just solved this issue. Solution is that we don't need to create a dynamodb table first before we start lakefs. Lakefs will automatically create one for you as long as it has the right role. Thanks Itai
u
🙏 Let me know if you need anything else
u
BTW, the folder in S3 bucket generated by LakeFS is dummy by default. Is there a way to customize it?
u
What do you mean by “dummy by default”?
u
Folder name in the bucket is called 
dummy
u
dummy
is an object lakeFS creates inside the storage namespace to validate it has access.
u
Do you know what kind of permissions I have to have in order to make lakefs work? I set s3 full access, kms, and dynamodb full access, but I still fail to upload files in lakefs.
u
What is the error you're getting? Did you successfully create a repo? I find this doc very useful for storage permissions
u
I can create repo, branch, but fail to upload files
u
That's wierd, can you share the logs?
u
how do we use kms when uploading a file?
u
in gui, there is no way to use kms, right? We can only use code, for example, lakefs-python package to upload files after kms, right?
u
What's kms? 😅
u
u
to encrypt or decrypt data
u
In s3 you can configure bucket level encryption, every object stored in the bucket will seamlessly be stored encrypted. You don't need to do it yourself before storing the data in lakeFS.
u
yeah, already enabled default encryption
u
in our s3 bucket policy, there is one manditory rule, data has to be encrypted using kms before uploading. Maybe that's why my uploading was failed. So I can not use gui to upload data, but have to do it in code.
u
The UI enables you to upload data from your local storage, so unless you have the encrypted files stored locally, I guess you're right.
u
Thanks
u
🙏
u
There is no way to have some kind of kms setup in lakefs, right?
u
Hey @Ronnie Ning, I'm not sure what you're asking. If you're asking whether lakeFS can encrypt your objects on S3 using KMS with server-side encryption, then it's currently not supported.
u
I tried several ways to encrypt file, then uploaded it to s3 which is enabled sse, all were failed. But if I put kms as an extra config, it was successful. So I wonder if lakefs can also set kms as config when loading files to s3.
u
Unfortunately, this is not supported at the moment. You're welcome to open an issue describing the use case.
u
Iddo Avneri 10/26/2022, 12:18 PM You are welcome to run lakeFS on top of a bucket with default SSE - it will work and all the data will be encrypted.
u
I wasn't aware of the option to turn on SSE by default. Let me check.
u
I wonder how since I followed the instructions :1. Prepare your encrypted storage. 2. Run lakeFS locally against your storage, but no lucky
u
u
Following these instructions will cause all new objects on your bucket to be encrypted by default. I hope this helps.
u
Yeah, I did enable the default sse on s3, but lakefs file loading failed with access denied.
u
Please provide the complete error that you are seeing
u
Copy code
HTTP response headers: HTTPHeaderDict({'Date': 'Mon, 21 Nov 2022 22:24:05 GMT', 'Content-Type': 'application/json', 'Content-Length': '383', 'Connection': 'keep-alive', 'X-Content-Type-Options': 'nosniff', 'X-Request-Id': 'aa3c2df7-e081-49fd-9c34-115cf8658ddf'})
HTTP response body: {"message":"s3 error: \u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003cError\u003e\u003cCode\u003eAccessDenied\u003c/Code\u003e\u003cMessage\u003eAccess Denied\u003c/Message\u003e\u003cRequestId\u003eAE8C2RC4F6A8A6HV\u003c/RequestId\u003e\u003cHostId\u003eZ1CXhP9KOwEUgaijq3Y2TFZDXihy2G9jQDcDeIMZXAm45WrSc859m7jAyZYV8gI6GSohdv8zl8U=\u003c/HostId\u003e\u003c/Error\u003e"}
u
Are you seeing this error in the lakeFS logs?
u
Or is this the response you are getting locally from lakeFS?
u
I am using lakefs-client package in python. That was the returned error message
u
basically, s3 denied lakefs file loading.
u
I see. It means lakeFS doesn't have permissions to write the file. The lakeFS logs can provide more information
u
But basically you need to take a look at the policy of the IAM user/role that lakeFS operates on behalf of.
u
Copy code
{
            "Sid": "LakeFSS3",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:Get*",
                "s3:List*",
                "s3:Put*",
                "s3:Delete*",
                "s3:Abort*"
            ],
            "Resource": [
                "arn:aws:s3:::uniq-lakefs-dev/*",
                "arn:aws:s3:::uniq-lakefs-dev"
            ]
        },
u
the policy should be good enough
u
Is this the bucket policy or the policy of the user/role?
u
bucket policy
u
role policy: full access
u
Please take a look at the logs from the lakeFS server.
u
where is that log in /lakefs ?
u
By default it goes to the standard output.
u
Of the server process
u
Copy code
ERROR  [
            2022-11-21T22: 24: 05Z
        ]lakeFS/pkg/block/s3/adapter.go: 239 pkg/block/s3.(*Adapter).streamToS3 bad S3 PutObject response                     error="s3 error: <?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>AE8C2RC4F6A8A6HV</RequestId><HostId>Z1CXhP9KOwEUgaijq3Y2TFZDXihy2G9jQDcDeIMZXAm45WrSc859m7jAyZYV8gI6GSohdv8zl8U=</HostId></Error>" host=<http://dvc.rwe.aws.novartis.net|dvc.rwe.aws.novartis.net> method=POST operation=PutObject operation_id=UploadObject path="/api/v1/repositories/data42/branches/test-branch/objects?path=.%2F" request_id=aa3c2df7-e081-49fd-9c34-115cf8658ddf service_name=rest_api status_code=403 url="<https://uniq-lakefs-dev.s3.amazonaws.com/data/gr9ggut0vq9r6bq9np20/cdtvl1d0vq9r6bq9np2g>"
u
That is the only log.
u
pretty much the same with the error python lakefs-client returned
u
Right. First thing to verify is that lakeFS is indeed authenticated with the correct role. Can you try to create a new repository, on top of a bucket that doesn't have SSE enabled by default (and does not require it)?
u
I want to make sure that the problem is indeed related to encryption.
u
the s3 bucket policy also has the following:
u
Copy code
{
                    "Sid": "CCDenyUnEncryptedObjectUploads",
                    "Effect": "Deny",
                    "Principal": "*",
                    "Action": "s3:PutObject",
                    "Resource": "arn:aws:s3:::uniq-lakefs-qa/*",
                    "Condition": {
                        "StringNotEquals": {
                            "s3:x-amz-server-side-encryption": "aws:kms"
                        }
                    }
                },
                {
                    "Sid": "CCDenyHttp",
                    "Effect": "Deny",
                    "Principal": "*",
                    "Action": [
                        "s3:GetObject",
                        "s3:PutObject"
                    ],
                    "Resource": "arn:aws:s3:::uniq-lakefs-qa/*",
                    "Condition": {
                        "Bool": {
                            "aws:SecureTransport": "false"
                        }
                    }
                }
u
just to make sure file is encrypted and using https
u
lakefs uses https to loading file to s3, right?
u
Yes
u
Let's first make sure it works on a bucket without any policy.
u
no, I can not change the plocity
u
I mean, create a new bucket just for the experiment.
u
the bucket policy is automatically generated when creating a s3 bucket and I can not change it
u
I see. In that case please open an issue and I will try to reproduce the scenario tomorrow.
u
great, I will do it tomorrow.
u
Open in Slack
PreviousNext
Powered by