Description
068bb52 created the issue
S3 interface endpoints enable to connect to Amazon S3 using a private IP address:
I am unable to connect to Amazon S3 using the interface endpoint URL (e.g. vpce-0971cacd1f2xxxxxxxxx.s3.eu-west-1.vpce.amazonaws.com) as the server hostname. Cyberduck continously tries to authenticate (I see thousands of packets in Wireshark) and fails a few minutes later. The issue comes from how Cyberduck generates the SigV4 signature, because it considers that "vpce" is the region (e.g. HTTP header Authorization is AWS4-HMAC-SHA256 Credential=AKIASFI36Y5VXXXXXXX/20210702/vpce/s3/aws4_request which fails).
I think that two things should be corrected in Cyberduck:
- Fetch the region differently from the server endpoint URL
- Consider S3 interface endpoint URL as "special URL" and use this URL only (don't use dualstack or North Virginia as the default region to list existing S3 buckets)
As a workaround, I was able to connect to a S3 interface endpoint by:
- Resolving s3.eu-west-1.amazonaws.com to one of the private IP addresses of the interface endpoint (added an entry in the hosts file)
- Applying the default parameters:
s3.bucket.virtualhost.disable=true
s3.endpoint.dualstack.enable=false
s3.endpoint.format.ipv4=s3.eu-west-1.amazonaws.com
However, it would be great if Cyberduck could natively support S3 interface endpoints, without all these tricks.