I have following scenario, where I am trying to access S3 bucket contents using Access points, however I am getting AccessDenied
Error.
my-test-bucket
& access point 'my-test-ap' with default policy & VPC id provided to restrict access over internetssh
to EC2 instance and run command - aws s3 ls --Bucket my-test-bucket
OR aws s3api list-objects --bucket -my-test-bucket
, lists all contents from bucket aws s3api list-objects --bucket arn:aws:s3:us-east-1:my-account-id:accesspoint/my-test-ap
gives me `AccessDenied' messageAccess Point Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:us-east-1:my-account-id:accesspoint/my-test-ap",
"Condition": {
"StringEquals": {
"s3:AccessPointNetworkOrigin": "VPC"
}
}
}
]
}
Note sure what is missing to get this working.
To reproduce your situation, I did the following:
Network origin = VPC
I then tried accessing the bucket with:
aws s3api list-objects-v2 --bucket arn:aws:s3:ap-southeast-2:1111:accesspoint/my-access-point
Result: AccessDenied
I then added a VPC Endpoint , since Creating access points - Amazon Simple Storage Service says:
To use an access point with a VPC, you must modify the access policy for your VPC endpoint. VPC endpoints allow traffic to flow from your VPC to Amazon S3. They have access-control policies that control how resources within the VPC are allowed to interact with S3. Requests from your VPC to S3 only succeed through an access point if the VPC endpoint policy grants access to both the access point and the underlying bucket.
I was then able to successfully access the bucket .
Therefore, it appears that a VPC Endpoint is required when accessing an S3 Access Point from a VPC .
An example is shown in: Managing Amazon S3 access with VPC endpoints and S3 Access Points | AWS Storage Blog
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.