Loading

AccessDenied Error When Using S3 Bucket Policies with Tableau Cloud IP Ranges

Date de publication: Mar 19, 2025
Description

When managing access to Amazon S3 buckets through bucket policies, the following error may still occur when attempting to access the bucket, even after allowing the necessary actions and the current IP address ranges of Tableau Cloud.

 

AccessDenied
User: {user} is not authorized to perform: s3:ListBucket on resource: {resource} because no identity-based policy allows the s3:ListBucket action

 

Résolution

If the region of external services accessed via the S3 Connector is the same as the Tableau Cloud Pod region, Tableau Cloud uses Amazon Virtual Private Cloud (Amazon VPC) endpoints to establish a private connection to these external services. In this scenario, customers should use a VPC endpoint instead of relying on IP source addresses to secure the external services shared with Tableau Cloud.

 

Tableau Cloud Hyperforce Region Name | Pod | VPC Endpoint ID

    • us-east-1 | us-east-1 | vpce-0ea40e596e16259d1
    • us-east-1 | prod-useast-a | vpce-0ea40e596e16259d1
    • us-east-1 | prod-useast-b | vpce-0ea40e596e16259d1
    • eu-central-1 | dub01 | vpce-091ff41bc3686e6e8
    • eu-central-1 | ew1a | vpce-091ff41bc3686e6e8
    • ap-southeast-2 | prod-apsoutheast-a | vpce-071ca855ea8cc1154
    • us-west-2 | 10ay | vpce-090a7c76e361d5013
    • us-west-2 | us-west-2 | vpce-090a7c76e361d5013
    • us-west-2 | uw2b | vpce-090a7c76e361d5013
    • ca-central-1 | prod-ca-a | vpce-0fd4bd6f2f928fcf7
    • ap-northeast-1 | prod-northeast-a | vpce-045516807606e4738
    • eu-west-2 | prod-uk-a | vpce-0101caa470966f49d
Ressources supplémentaires

For Amazon S3 buckets, customers can enable CloudTrail event logging, identify the above Amazon VPC endpoints (vpcEndpointId), and then update the bucket policy to grant the necessary permissions for those VPC endpoints to access the S3 buckets. For more information, please refer to the third-party links below*:

 

Note: Tableau Cloud also uses VPC endpoint via the Snowflake Connector when the "Protecting internal stages on AWS" setting is enabled in the Snowflake instance. For more details, refer to Snowflake's Protecting internal stages on AWS*.

 

*Although we make every effort to ensure links to external websites are accurate, up to date, and relevant, Tableau cannot take responsibility for the accuracy or freshness of pages maintained by external providers. Contact the external site for answers to questions regarding its content.

Numéro d’article de la base de connaissances

004461877

 
Chargement
Salesforce Help | Article