Why is my S3 File Gateway file share stuck in the CREATING, UPDATING, or DELETING state?

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

The file share status summarizes the health of the file share. There are several reasons why an AWS Storage Gateway file share might be stuck in the CREATING, UPDATING, or DELETING state.

Confirm that the AWS Storage Gateway service has permissions to assume the IAM role associated with the file share

The AWS Identity and Access Management (IAM) role given to the file share doesn't grant sufficient access. This IAM role must have permissions for the Amazon Simple Storage Service (Amazon S3) bucket. Also, the IAM role's trust policy must grant the AWS Storage Gateway service permissions to assume the role.

To confirm the IAM role permissions, complete the following steps:

1. Open the IAM console.
2. In the navigation pane, choose Roles.
3. Choose the IAM role that's associated with your file share.
4. Choose the Trust relationships tab.
5. Confirm that AWS Storage Gateway is listed as a trusted entity. If AWS Storage Gateway isn't a trusted entity, first choose Edit trust relationship. Then, add the following policy to grant access to the Amazon S3 bucket:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "storagegateway.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Note: To avoid cross-service confused deputy prevention, use a trust relationship policy.

Prevent a file share stuck in the CREATING or UPDATING states because of AWS STS deactivation

To avoid a file share stuck in the CREATING or UPDATING states, create a file share with sufficient access. Then, verify that AWS Security Token Service (AWS STS) is turned on.

Complete the following steps:

1. Open the IAM console.
2. In the navigation pane, choose Account settings.
3. In Security Token Services Regions, verify that the AWS Region Status is Active for the location where you want to create the file share.

Verify that the Amazon S3 bucket exists and that the bucket name follows the naming rules

Complete the following steps:

1. Open the Amazon S3 console.
2. Confirm the S3 bucket that you mapped your file share to exists. If the bucket doesn't exist, then create the bucket. After you create the bucket, the file share status changes to AVAILABLE. For more information, see Create your first S3 bucket.
3. Make sure that your bucket name complies with the bucket naming rules in Amazon S3.

Note: S3 File Gateway doesn't support Amazon S3 buckets with periods (.) in the bucket name when you create the bucket in the Amazon S3 console. To create a bucket name that includes a period (.), use the AWS CLI.

Delete a file share stuck in the DELETING state

When you make a file share create, update, or delete API call from AWS Storage Gateway, the AWS Storage Gateway assumes the role assigned to the share. Then the AWS Storage Gateway contacts Amazon S3 from the gateway to finish unfinished operations such as uploads and deletes, or to perform updates.

When you delete a file share from the file gateway, the share is removed from the associated Amazon S3 bucket. However the data written to the file share isn't uploaded to the Amazon S3 bucket. If the data is uploading when the share is deleted, then the delete process completes after all the data is uploaded. During this process, the file share shows a DELETING status until after all the data has been uploaded.

Important: Check the Amazon CloudWatch AWS Storage Gateway metric CachePercentDirty.

If you don't want to wait for all in-progress uploads to finish writing to the S3 bucket, then complete the following steps:

1. Open the AWS Storage Gateway console.
2. In the navigation pane, choose File shares. Then, select the file share ID that you want to delete.
3. Choose the Details tab, and then review the This file share is being deleted message.
4. Verify the ID of the file share in the message. Then, select the confirmation box.
   Note: You can't undo the force delete operation.
5. Choose Force delete now.
   Note: If you're using the new console, and the force delete option isn't available, then use the old console. Or you can use the delete-file-share command with force-delete set to true.
6. Confirm that the Gateway isn't in an offline state. If the Gateway is offline, then first troubleshoot the offline Gateway.
7. If the Gateway virtual machine (VM) is already deleted, then delete your gateway from the AWS Storage Gateway console to delete all relevant file shares. This includes file shares stuck in the DELETING state.

Prevent a file share stuck in the CREATING, UPDATING, or DELETING states because of network issues.

The following network issues might cause your file share to get stuck in the CREATING, UPDATING, or DELETING state:

• Your Gateway is offline or the relevant Gateway VM is deleted.
• Access between AWS Storage Gateway and the Amazon S3 service endpoint is blocked by the network.
• You deleted the Amazon S3 virtual private cloud (VPC) endpoint that gateway communicates with Amazon S3.
• There's improper network routing and required ports aren't open.

AWS Storage Gateway configuration

Log in to AWS Storage Gateway VM. The default username is admin and the password is password. Or log in to your Amazon Elastic Compute Cloud (EC2) gateway local console.

In the AWS Storage Gateway - Configuration main menu, enter the corresponding number to select Test S3 Connectivity.

To update the configuration, complete the following steps:

1. Choose the Amazon S3 endpoint type. For Amazon S3 traffic that flows through Internet Gateway, NAT Gateway, Transit Gateway, or Amazon S3 Gateway VPC endpoint, choose the relevant number for Public. For Amazon S3 traffic that flows through Amazon S3 interface VPC endpoint, choose relevant number for VPC (PrivateLink). For a FIPS endpoint, choose the relevant number.
2. Enter the relevant bucket Amazon S3 Region.
3. Enter the Amazon S3 VPC Endpoint DNS name. For example, vpce-0329c2790456f2d01-0at85l34.

After you enter the Amazon S3 Region and the Amazon S3 VPC Endpoint DNS name, AWS Storage Gateway automatically completes a connectivity test. The connectivity test results validate the NETWORK TEST and the SSL TEST. Usually a Network Test fails because of an on-premises firewall, security group port, or improper network routing. The SSL Test failure shows that SSL inspections or deep packet inspections that occur between your Gateway VM and the Amazon S3 service endpoints. Based on the cause of your issue, resolve network routing, or turn off SSL and deep packet inspection.

Confirm that the proxy server doesn't block network communication

In the AWS Storage Gateway - Configuration main menu, enter the corresponding number to select HTTP/SOCKS Proxy Configuration. Then, select the relevant number for View current network proxy configuration.

If there's a proxy configuration, first the Amazon S3 traffic flows from AWS Storage Gateway to the proxy server over port 3128. Then, it flows to the Amazon S3 endpoint over port 443. The proxy or firewall must allow traffic to and from the network ports and service endpoints required by AWS Storage Gateway. For more information, see Network and firewall requirements. Or, you can remove the proxy configuration and check whether the file share status changes.

Note: The proxy listener port 3128 might be different. The listener port depends on your configuration.

When the gateway is on Amazon EC2, confirm that the security group has the required ports (443) open to Amazon S3 endpoints. Also, confirm that the EC2 subnet's route table routes Amazon S3 traffic properly to Amazon S3 endpoints. If the gateway is on an on-premises VM, then confirm firewall required ports are open and local route tables routes Amazon S3 traffic to Amazon S3 endpoints.

Make sure the Amazon S3 VPC endpoint that the gateway uses to communicate with Amazon S3 isn't deleted. If the Amazon S3 VPC endpoint is deleted, then the gateway fails to communicate with Amazon S3 when the gateway has no public IP.