Skip to content

Support S3 interface endpoints (AWSPrivateLink for Amazon S3) #11735

Closed
@cyberduck

Description

@cyberduck

068bb52 created the issue

S3 interface endpoints enable to connect to Amazon S3 using a private IP address:

I am unable to connect to Amazon S3 using the interface endpoint URL (e.g. vpce-0971cacd1f2xxxxxxxxx.s3.eu-west-1.vpce.amazonaws.com) as the server hostname. Cyberduck continously tries to authenticate (I see thousands of packets in Wireshark) and fails a few minutes later. The issue comes from how Cyberduck generates the SigV4 signature, because it considers that "vpce" is the region (e.g. HTTP header Authorization is AWS4-HMAC-SHA256 Credential=AKIASFI36Y5VXXXXXXX/20210702/vpce/s3/aws4_request which fails).

I think that two things should be corrected in Cyberduck:

  • Fetch the region differently from the server endpoint URL
  • Consider S3 interface endpoint URL as "special URL" and use this URL only (don't use dualstack or North Virginia as the default region to list existing S3 buckets)

As a workaround, I was able to connect to a S3 interface endpoint by:

  • Resolving s3.eu-west-1.amazonaws.com to one of the private IP addresses of the interface endpoint (added an entry in the hosts file)
  • Applying the default parameters:
s3.bucket.virtualhost.disable=true
s3.endpoint.dualstack.enable=false
s3.endpoint.format.ipv4=s3.eu-west-1.amazonaws.com

However, it would be great if Cyberduck could natively support S3 interface endpoints, without all these tricks.

Metadata

Metadata

Assignees

Labels

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions