ClickHouse fails to read from public S3 buckets with error:

1

InvalidClientTokenId: The security token included in the request is invalid

ClickHouse automatically tries to use AWS credentials (from environment variables, IAM roles, etc.) even for public buckets. When these credentials are invalid/expired, AWS SDK calls sts:GetCallerIdentity and fails.

Force anonymous access by adding NOSIGN parameter:

12345

FROM s3(    's3://bucket/path/file.csv.gz',    NOSIGN,  -- Forces anonymous access    'CSV')

In your Rill model YAML, update the s3() function call:

 1 2 3 4 5 6 7 8 9101112

# Before (fails with credential errors)FROM s3(    's3://noaa-ghcn-pds/csv.gz/by_year/2025.csv.gz',    'CSV')# After (works with public buckets)FROM s3(    's3://noaa-ghcn-pds/csv.gz/by_year/2025.csv.gz',    NOSIGN,  -- Add this parameter    'CSV')

Complete working example: GitHub - ClickHouse Rill Example

You have AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY set in environment
having these set locally means it also works without NOSIGN
Credentials are expired/invalidAccessing public S3 buckets that don’t require authenticationWorking across different machines/environments with different AWS setups

12

# Verify bucket is publicaws s3 ls s3://bucket-name/ --no-sign-request

Remember: Always use NOSIGN when accessing public S3 buckets in ClickHouse to avoid credential validation issues.

Origin: AWS S3
References:
Created 2025-09-05