- Newest
- Most votes
- Most comments
Hello.
Have you reviewed the considerations listed in the documentation below?
https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html#gateway-endpoint-considerations-s3
For example, are DNS resolution and DNS hostname enabled in the VPC?
If you do not enable this, name resolution will not be possible and you will not be able to access S3.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-dns-updating
Hi I gave this a bit more thought and, I believe I know what's going on. You're not specifying a region to your AWS CLI commands which means that any S3 command will first be directed to us-east-1 in order to find out what region the bucket is in. However as you're in a private subnet with only access to the eu-west-1 S3 service via the VPC endpoint, this won't work.
Best practice when using S3 is to always specify the region to remove that dependency on us-east-1. So I believe if you set the region in "aws configure", or ran "aws s3 ls --region eu-west-1", it should work.
Steve
You are a genius
Hello,
The security group associated with the private EC2 instance should allow outbound HTTPS (port 443) traffic and make sure the route table has a associated route to a Gateway endpoint for S3.
Ensure that the IAM role attached to your private EC2 instance has the necessary permissions for S3 actions (s3:CreateBucket, etc.) and if you have set a policy on the VPC endpoint, ensure that it allows the necessary S3 actions.
For more information: https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html#create-gateway-endpoint-s3
Thanks Sivaraman,
I tried but nothing worked
My new answer has all photos
How are your network ACLs set for that subnet? Allowing all traffic or at least HTTPS outbound and ephemeral ports inbound?
ACLs are default for both public and private instance SGs have all traffic allowed for inbound and outbound
I tried everything but no luck
- All traffic allowed from private instance
- Created IAM role and attached photo
- Route table for endpoint
Attached are the photos
ACLs are default for both public and private instance SGs have all traffic allowed for inbound and outbound
As per the screenshots ACLs don't have issues
Security groups have all traffic allowed
Endpoint has correct route table and private EC2 has role for full s3 access
Routing is fine too but cannot create and access S3
Any help will be appreciated
Relevant content
- asked a year ago
Enabling DNS didn't work; I am attaching screenshots