- Newest
- Most votes
- Most comments
Hi,
I would suggest that you analyze the CloudTail activity logs in the outcast regions to see the exact requests sent to S3 in those regions. When you compare them with same logs in working regions, you may find the root cause of your problem.
such CloudTrail analysis has helped me in similar situations where my code was behaving differently in different regions.
Didier
Thank you Didier. I'll check CloudTrail to see if I can find anything there.
UPDATE - I was able to pinpoint an error message in CloudTrail for one of the buckets that my script just kind of passed over, but I wasn't able to find the exact error in CloudTrail for other buckets in the "outcast" regions. I was however able to coax an error message on those buckets using the AWS cli. When performing a simple "get-bucket-policy" request on a bucket in me-south-1, the AWS cli returned the following error: "An error occurred (IllegalLocationConstraintException) when calling the GetBucketPolicy operation: The me-south-1 location constraint is incompatible for the region specific endpoint this request was sent to." I do use the shell environment variable "AWS_DEFAULT_REGION" which I change depending on which AWS region I am running the script in, but because S3 buckets are considered a "Global" resource, a default region "shouldn't" really matter. But apparently it does in some regions. When re-running the AWS cli "get-bucket-policy" with the --region option set to me-south-1, the command returned the data with no problems. So, lesson learned... some of the AWS regions do indeed require API calls to have the region specified in the call.
Reference on types of endpoints: https://docs.aws.amazon.com/general/latest/gr/rande.html
Relevant content
- asked 8 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago
Hi Jeff.
Can you confirm the bucket policies for buckets in those regions allow access/tagging to your credentials?
Thanks for suggestion Jose. I'll check the policies.
I found one of the buckets was created by one of our teams as a "test" bucket and had a very restrictive policy applied to it. I'll take a look my boto3 S3 error handling to see why it didn't surface the "access denied" error. Thanks again!