-
-
Notifications
You must be signed in to change notification settings - Fork 286
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support S3 interface endpoints (AWSPrivateLink for Amazon S3) #11735
Comments
We already check the hostname using the regular expression |
Existing documentation to disable the use of virtual host style requests in connection profile. |
Regional DNS names include a unique VPC endpoint ID, a service identifier, the AWS Region, and vpce.amazonaws.com in its name. For example, for VPC endpoint ID vpce-1a2b3c4d, the DNS name generated might be similar to vpce-1a2b3c4d-5e6f.s3.us-east-1.vpce.amazonaws.com. |
In 4ef31c5 with upstream fix. Please try the latest snapshot build with this connection profile. |
Hello, Many thanks for the quick update! I tested with Access Key and Secret and it works. However I tried to create a mix profile with STS credentials and Private Link, and it does not work. The profile is:
It works when the server is Is that the expected behavior? |
Replying to [comment:13 malaval]:
|
Thank you! I don't manage to get the last release work. With the latest snapshot build (35295), I tried to both approaches and none of them worked for me. What should be the cyberduckprofile to use STS credentials with VPC endpoints?
Or
|
Can you please attach the debug log output for the connection attempt. To enable debug logging open a Terminal.app window and enter
Log output can be found in the cyberduck.log file in~/Library/Logs/Cyberduck. You can easily reach this file in Console.app (Open from /Applications/Utilities) under Reports → Log Reports → cyberduck.log. |
S3 interface endpoints enable to connect to Amazon S3 using a private IP address:
I am unable to connect to Amazon S3 using the interface endpoint URL (e.g.
vpce-0971cacd1f2xxxxxxxxx.s3.eu-west-1.vpce.amazonaws.com
) as the server hostname. Cyberduck continously tries to authenticate (I see thousands of packets in Wireshark) and fails a few minutes later. The issue comes from how Cyberduck generates the SigV4 signature, because it considers that "vpce" is the region (e.g. HTTP header Authorization isAWS4-HMAC-SHA256 Credential=AKIASFI36Y5VXXXXXXX/20210702/vpce/s3/aws4_request
which fails).I think that two things should be corrected in Cyberduck:
As a workaround, I was able to connect to a S3 interface endpoint by:
However, it would be great if Cyberduck could natively support S3 interface endpoints, without all these tricks.
The text was updated successfully, but these errors were encountered: