1 Answer
- Newest
- Most votes
- Most comments
1
You are loading data from another region, so the VPC gateway endpoint will not be used, the route table has a prefix list of IPs for S3 in Oregon. Your VPC needs to have an Internet Gateway and the route table associated with the Aurora subnets needs a '0.0.0.0/0' route to the IGW. See: Gateway endpoints .
Traffic that's destined for the service (Amazon S3 or DynamoDB) in a different Region goes to the internet gateway because prefix lists are specific to a Region.
Relevant content
- asked 2 years ago
- asked 2 years ago
asked 2 years ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
Hi,
Can you confirm what your IAM policy allows for this access? I would check both the S3 bucket policy and the role associated with your Aurora setup.
Thanks for your comment. The role associated with Aurora seems to have the right access. What would be the right S3 bucket policy?
{ "Version": "2012-10-17", "Id": "s3accesspolicy", "Statement": [ { "Sid": "VPC endpoint access to S3", "Principal": "", "Action": "s3:GetObject", "Effect": "Allow", "Resource": ["arn:aws:s3:::bucket","arn:aws:s3:::bucket/"], "Condition": { "StringEquals": { "aws:sourceVpce": "vpce-ID" } } } ] }
I am using a policy similar to this for the buckets, but still get the S3Stream error for buckets both within and outside the DB's region