Missing reason for 403 (connecting to s3tables)

[tfglasswing]

INSTALL aws;
INSTALL httpfs;
INSTALL iceberg;

LOAD aws;
LOAD httpfs;
LOAD iceberg;

CREATE SECRET (
    TYPE s3,
    PROVIDER credential_chain
);

ATTACH 'arn:aws:s3tables:us-east-1:111111111111:bucket/<bucket name>/table/<table name>'
      AS s3_tables_db (
          TYPE iceberg,
          ENDPOINT_TYPE s3_tables
      );

results in:

Request to 's3tables.us-east-1.amazonaws.com/iceberg/v1/config?warehouse=<arn>' returned a non-200 status code (Forbidden_403), with reason:

.. no reason given.

call load_aws_credentials(redact_secret=False); shows my credentials correctly.

Also I am able to query a regular s3 bucket like so:

SELECT count(*) FROM read_parquet('s3://<s3 bucket>/some.parquet');

I also have access to my s3 table (using the aws cli). All these work:

aws s3tables list-table-buckets | jq
aws s3tables list-namespaces --table-bucket-arn "${S3_TABLE_ARN}"  | jq
aws s3tables list-tables --table-bucket-arn "${S3_TABLE_ARN}" | jq
aws s3tables get-table-bucket --table-bucket-arn "${S3_TABLE_ARN}" | jq
aws s3tables get-table --table-bucket-arn "${S3_TABLE_ARN}" --namespace "<namespace>"  --name <table name> | jq

In the end, I have no idea if this is really a permission issue or a configuration issue or some other issue elsewhere.

v.1.3.2 (in docker)
docker run --env AWS_ACCESS_KEY_ID --env AWS_SECRET_ACCESS_KEY --env AWS_SESSION_TOKEN --env AWS_DEFAULT_REGION --env AWS_REGION --rm --net host -it datacatering/duckdb:v1.3.2 -ui

[tfglasswing]

I figured out ATTACH 'arn:aws:s3tables:us-east-1:111111111111:bucket/<bucket name>/table/<table name>' need the table bucket ARN, not the table ARN: ATTACH 'arn:aws:s3tables:us-east-1:111111111111:bucket/<bucket name>'.

Nevertheless, a better error message would be helpful.

[carlopi]

I think this is better placed in duckdb/duckdb-iceberg