By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

internal error accessing MRAP from assumed role

0

I am setting up an S3 multi-region access point following the tutorial (https://aws.amazon.com/getting-started/hands-on/getting-started-with-amazon-s3-multi-region-access-points/?ref=docs_gateway/amazons3/MultiRegionAccessPoints.html). I have the access point created with two buckets, and no policies on anything.

Using aws s3api list-objects-v2 --bucket arn:aws:s3::<account_id>:accesspoint/<mrap_id>.mrap I can list the bucket contents when I am using my AWS credentials with full AWS administrator access.

However when I use other credentials where I have assumed a role with full administrator access, that same commands fails with an internal error from the remote server. All other AWS APIs are working, so I believe the credentials and the role setup are all working. aws sts get-caller-identity completes as expected.

$ aws s3api list-objects-v2 --bucket arn:aws:s3::<account_id>:accesspoint/<mrap_id>.mrap

An error occurred (InternalError) when calling the ListObjectsV2 operation (reached max retries: 2): We encountered an internal error. Please try again.

With --debug it shows

2023-08-17 15:42:35,441 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): <mrap_id>.mrap.accesspoint.s3-global.amazonaws.com:443
2023-08-17 15:42:35,581 - MainThread - urllib3.connectionpool - DEBUG - https://<mrap_id>.mrap.accesspoint.s3-global.amazonaws.com:443 "GET /?list-type=2&encoding-type=url HTTP/1.1" 500 None
2023-08-17 15:42:35,582 - MainThread - botocore.parsers - DEBUG - Response headers: {'x-amz-request-id': 'EQCR0HKFWSEZHZSA', 'x-amz-id-2': 'laOL3jvJ01lzN7PeFMZ59KL7u8k/7DrVzP91tq+aRQAomhu5EfTTsW2Iq8KQv10FH12KWBzWpn4=', 'Content-Type': 'application/xml', 'Transfer-Encoding': 'chunked', 'Date': 'Thu, 17 Aug 2023 05:42:34 GMT', 'Server': 'AmazonS3', 'Connection': 'close'}
2023-08-17 15:42:35,582 - MainThread - botocore.parsers - DEBUG - Response body:
b'<?xml version="1.0" encoding="UTF-8"?>\n<Error><Code>InternalError</Code><Message>We encountered an internal error. Please try again.</Message><RequestId>EQCR0HKFWSEZHZSA</RequestId><HostId>laOL3jvJ01lzN7PeFMZ59KL7u8k/7DrVzP91tq+aRQAomhu5EfTTsW2Iq8KQv10FH12KWBzWpn4=</HostId></Error>'

I have the latest CLI version: aws-cli/2.13.10 Python/3.11.4 Linux/6.1.0-10-amd64 exe/x86_64.debian.12 prompt/off

Am I doing something wrong or is this a bug?

Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceAWS Identity and Access Management
Language
English
HMOF
asked 9 months ago468 views
1 Answer
0
Accepted Answer

Hi,

Your issue seems related to some restrictions with MRAP described in https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiRegionAccessPointRestrictions.html

To use SigV4A with temporary security credentials—for example, when using AWS I
dentity and Access Management (IAM) roles—make sure that you request the temporary 
credentials from a Regional endpoint in AWS Security Token Service (AWS STS), instead 
of a global endpoint. If you use the global endpoint for AWS STS (sts.amazonaws.com), 
AWS STS will generate temporary credentials from a global endpoint, which isn't supported 
by Sig4A. As a result, you'll get an error. 
To resolve this issue, use any of the listed Regional endpoints for AWS STS.

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 9 months ago
  • HMOF
    9 months ago

    Thanks, it works when I use a regional STS endpoint.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content