S3 endpoint doesn't work

0

I have logged into my private EC2 from public EC2 in my customVPC

I am not using any NAT Gateway but endpoint to create and access S3 bucket

I am able to use " aws configure" on my private EC2 but when I try to create bucket after successful login it doesn't work

aws s3 ls

aws s3 mb s3://helllloooohh

Above commands don't work

I have configured S3 endpoint in a proper way and assigned private route table but no luck creating or looking up buckets Enter image description here

Enter image description here

Enter image description here

Rish
asked 11 days ago113 views
23 Answers
1

Hello.

Have you reviewed the considerations listed in the documentation below?
https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html#gateway-endpoint-considerations-s3

For example, are DNS resolution and DNS hostname enabled in the VPC?
If you do not enable this, name resolution will not be possible and you will not be able to access S3.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html#vpc-dns-updating

profile picture
EXPERT
answered 11 days ago
profile picture
EXPERT
reviewed 10 days ago
  • Enabling DNS didn't work; I am attaching screenshots

0
Accepted Answer

Hi I gave this a bit more thought and, I believe I know what's going on. You're not specifying a region to your AWS CLI commands which means that any S3 command will first be directed to us-east-1 in order to find out what region the bucket is in. However as you're in a private subnet with only access to the eu-west-1 S3 service via the VPC endpoint, this won't work.

Best practice when using S3 is to always specify the region to remove that dependency on us-east-1. So I believe if you set the region in "aws configure", or ran "aws s3 ls --region eu-west-1", it should work.

Steve

EXPERT
answered 7 days ago
profile pictureAWS
EXPERT
reviewed 7 days ago
  • You are a genius

0

Hello,

The security group associated with the private EC2 instance should allow outbound HTTPS (port 443) traffic and make sure the route table has a associated route to a Gateway endpoint for S3.

Ensure that the IAM role attached to your private EC2 instance has the necessary permissions for S3 actions (s3:CreateBucket, etc.) and if you have set a policy on the VPC endpoint, ensure that it allows the necessary S3 actions.

For more information: https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html#create-gateway-endpoint-s3

profile picture
EXPERT
answered 11 days ago
profile pictureAWS
EXPERT
reviewed 11 days ago
  • Thanks Sivaraman,

    I tried but nothing worked

    My new answer has all photos

0

How are your network ACLs set for that subnet? Allowing all traffic or at least HTTPS outbound and ephemeral ports inbound?

EXPERT
answered 11 days ago
  • ACLs are default for both public and private instance SGs have all traffic allowed for inbound and outbound

0

I tried everything but no luck

  1. All traffic allowed from private instance
  2. Created IAM role and attached photo
  3. Route table for endpoint

Attached are the photos Enter image description here
Enter image description here
Enter image description here
Enter image description here
Enter image description here
Enter image description here

Rish
answered 11 days ago
0

Enter image description here

Rish
answered 11 days ago
0

Enter image description here

Rish
answered 11 days ago
0

Enter image description here

Rish
answered 11 days ago
0

Enter image description here

Rish
answered 11 days ago
0

Enter image description here

Rish
answered 11 days ago
0

Enter image description here

Rish
answered 11 days ago
0

Enter image description here

Rish
answered 11 days ago
0

Enter image description here

Rish
answered 11 days ago
0

Enter image description here

Rish
answered 11 days ago
0

Enter image description here

Rish
answered 11 days ago
0

ACLs are default for both public and private instance SGs have all traffic allowed for inbound and outbound

Rish
answered 10 days ago
0

Enter image description here

Rish
answered 10 days ago
0

Enter image description here

Rish
answered 10 days ago
0

Enter image description here

Rish
answered 10 days ago
0

As per the screenshots ACLs don't have issues

Security groups have all traffic allowed

Endpoint has correct route table and private EC2 has role for full s3 access

Routing is fine too but cannot create and access S3

Any help will be appreciated

Rish
answered 10 days ago
0

Enter image description here

Rish
answered 10 days ago
0

Enter image description here

Rish
answered 10 days ago
0

Thanks everyone for assisting me with this

Rish
answered 7 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions