0

I have a service that generates a pre-signed URL for S3 objects accessible via the internet.

I am trying to figure out how to generate a similar pre-signed URL while using a VPC endpoint to the bucket/object to limit the traffic to only that endpoint's local network.

How can this be done?

I can access from CLI, but cannot get the pre-signed URL for an object to work (over the VPC endpoint)...

aws s3 --region us-west-2 --endpoint-url https://bucket.vpce-xxxxxxxxx-xxxxxxx.s3.us-west-2.vpce.amazonaws.com ls s3://bucket_name/

above works, so the vpc endpoint is functioning. How do I need to create the pre-signed URL to utilize it and not the public internet networking?

So, let's say the pre-signed URL is: https://tl-vpc-endpoint-test.s3.us-west-2.amazonaws.com/test1.zip?.....

What does it need to be to utilize the VPC endpoint?

Alex
  • 35
  • 1
  • 5
  • Same as regular S3-presigned url. Sadly your question is not clear. What exactly did you try? Why it didn't work? Any errors? – Marcin Mar 09 '22 at 23:59
  • is the url based on the endpoint or the original https://s3.region.amazonaws.com/... How is the routing enforced to the endpoint? – Alex Mar 10 '22 at 01:27
  • The endpoint automatically catches the s3 url. Please try and see how it goes. If you have issues, please make new question with your endpoint and test details. – Marcin Mar 10 '22 at 01:29
  • keep getting: SignatureDoesNotMatchThe request signature we calculated does not match the signature you provided. Check your key and signing method. i dont understand how the routing is supposed to work to the LAN IP when .s3.us-west-2.amazonaws.com resolves to a public IP... – Alex Mar 10 '22 at 02:04
  • Assume I need to replace the hostname in the pre-signed URL with the endpoint, no? – Alex Mar 10 '22 at 02:06
  • added some additional details above to avoid the line wrapping. thank you for the help – Alex Mar 10 '22 at 02:19

1 Answers1

1

You can generate your vpc endpoint presigned url like this:

aws s3 --endpoint-url https://bucket.vpce-xxxxxxxxx-xxxxxxx.s3.us-west-2.vpce.amazonaws.com presign s3://awsexamplebucket/test2.txt

Then you will get something like this:

https://bucket.vpce-xxxxxxxxx-xxxxxxx.s3.us-west-2.vpce.amazonaws.com/awsexamplebucket/test2.txt?.......

Welkin Fan
  • 51
  • 4