https://community.cloudera.com/t5/Support-Questions/Access-S3-Bucket-from-Spark/m-p/230235#M192085 <P> S3A actually has an extra option to let you set per-bucket jceks files, fs.s3a.security.credential.provider.path This takes the same values as the normal one, but lets you take advantage of the per-bucket config feature of s3a, where every bucket-specific option of fs.s3a.bucket.* is remapped to fs.s3a.* before the bucket is set up.</P><P> you should be able to add a reference to it likes so</P><P> spark.hadoop.fs.s3a.bucket.b.security.credential.provider.path hdfs:///something.jceks</P><P> Hopefully this helps. One challenge we always have with the authentication work is that we can't log it at the detail we'd like, because that would leak secrets too easily...so even when logging at debug, not enough information gets printed. Sorry</P><P> see also: <A href="https://hortonworks.github.io/hdp-aws/s3-security/index.html">https://hortonworks.github.io/hdp-aws/s3-security/index.html</A></P><P> Oh, one more thing. spark-submit copies your local AWS_ environment variables over to the fs.s3a.secret,key and fs.s3a.access.key values. Try unsetting them before you submit work and see if that makes a difference</P> Mon, 11 Sep 2017 17:32:28 GMT stevel 2017-09-11T17:32:28Z