Troubleshooting

Alation Cloud Service Applies to Alation Cloud Service instances of Alation

Metadata Extraction Failure After IP Whitelisting in AWS Policy

Problem

In the SAP ECC OCF connector, when you use Amazon S3 as the storage system for MDE, the operation fails with the following error after you enforce IP whitelisting in the S3 bucket policy:

Unexpected error occurred while performing this operation.
Error: User: arn:aws:iam::<AccountId>:user/<userID> is not authorized to perform: s3:GetObject
on resource: "arn:aws:s3:::sec-sv-ap-southeast-2-alation/sap_test/T20250818-230807-Asset00001.json"
because no identity-based policy allows the s3:GetObject action
(Service: Amazon S3; Status Code: 403; Error Code: AccessDenied;
Request ID: <RequestId>;
S3 Extended Request ID: xxx=;
Proxy: null)

Cause

IP-based restrictions in the S3 bucket policy prevent Alation from accessing S3. Alation’s cloud-native architecture uses Amazon S3 VPC Gateway Endpoints over public NAT IPs to access S3. When IP whitelisting is enforced, requests through the VPC endpoint are rejected unless specifically allowed.

Solution

Do not restrict access to Amazon S3 using NAT IPs for Alation. Instead, allow access to the Amazon S3 bucket using Alation’s S3 VPC Endpoint ID.

Use the following condition to apply the bucket policy for access using the VPC endpoint:

"Condition": {
  "StringEquals": {
    "aws:SourceVpce": "vpce-<vpcId>"
  }
}

Replace the vpce-<vpcId> value with the actual VPC endpoint ID used by Alation in your environment.

Note: If you remove IP whitelisting from the policy, metadata extraction completes successfully. However, restricting access via the VPC endpoint is the recommended secure practice for environments requiring controlled access.

For more information refer Controlling access from VPC endpoints with bucket policies