Cloudfront S3 MRAP

Question

Hello All,
I've been trying to setup a Multi-region access point for S3.

The basic problem is that I have users in Asia that I'm trying to get better performance for.
The simple part. I've created two buckets, I've put an html file in each of them with a simple name of us-east-1 and ap-south-1.

Initially those were private access only but for the purpose of getting anything working they are now public.
They are setup in an mrap which for now is not replicating.

I setup a cloudfront distribution and pointed it at the mrap but only ever get errors.

https://corridor-ap-south-1.s3.ap-south-1.amazonaws.com/test/region-test/region.html - ap-south-1 html
https://corridor-cdn.s3.amazonaws.com/test/region-test/region.html - us-east-1 html
mrap alias: mbzcc59bo9dy4.mrap
mrap access point? https://mbzcc59bo9dy4.mrap.accesspoint.s3-global.amazonaws.com/test/region-test/region.html

The errors are: The authorization mechanism you have provided is not supported. Please use Signature Version 4.

I hope I'm wrong, but is there a ridiculously stupid world where I have to put a signature on my object request?
This seems like it would be a complete waste of money to setup a lambda to do this for all my object requests.

Answer

It sounds like you are encountering an authentication issue when accessing your multi-region access point. By default, Amazon S3 requires that requests are signed using Signature Version 4 (SigV4) to ensure that the request is authorized and secure.

When you access your S3 buckets through a multi-region access point, you need to include the region-specific endpoint in the request URL. The endpoint will be in the format https://.s3-accesspoint..amazonaws.com. The  placeholder should be replaced with the region code where the access point is located (e.g., ap-south-1 or us-east-1 in your case).

To sign your requests with SigV4, you can use the AWS SDKs or the AWS CLI. The SDKs and CLI automatically sign the requests for you, so you don't need to write a separate Lambda function to do this.

To use the AWS CLI, you can configure your AWS credentials by running the aws configure command. Once your credentials are configured, you can use the aws s3 command to interact with your S3 buckets. For example, to list the contents of a bucket in a specific region through a multi-region access point, you can run the following command:

aws s3 ls s3:// --region  --endpoint-url https://.s3-accesspoint..amazonaws.com

You can also use the SDKs to interact with S3 and sign your requests with SigV4. The specific steps for signing your requests will depend on the SDK you are using, but there are SDKs available for most programming languages.

By signing your requests with SigV4 and including the region-specific endpoint in the request URL, you should be able to access your multi-region access point without encountering the "authorization mechanism not supported" error.

hope this helps

Answer

> You cannot use a Multi-Region Access Point as the distribution origin for Amazon CloudFront. However, you can configure Multi-Region Access Points as a custom distribution origin with Amazon CloudFront. For more information, see B[uilding an active-active, proximity-based application across multiple Regions on the AWS Storage Blog](https://aws.amazon.com/blogs/storage/building-an-active-active-latency-based-application-across-multiple-regions/).
> https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiRegionAccessPointRestrictions.html

Multi-Region Access Point's require SigV4A authentication and Amazon CloudFront does not support this currently when using the S3 Distribution Origin.  Multi-Region Access Point's also do not support unauthenticated (anonymous) access.

As a workaround, you can [generate SigV4A authentication via a Lambda@Edge function](https://aws.amazon.com/blogs/storage/building-an-active-active-latency-based-application-across-multiple-regions/).

You might also consider [CloudFront Origin Failover](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/high_availability_origin_failover.html), and this [solution to perform Geo based routing](https://aws.amazon.com/blogs/networking-and-content-delivery/using-amazon-cloudfront-and-amazon-s3-to-build-multi-region-active-active-geo-proximity-applications/).

Cloudfront S3 MRAP

Relevant content