[Cyberduck-trac] [Cyberduck] #11735: Unable to use S3 interface endpoints

Cyberduck trac at cyberduck.io
Sun Jul 18 21:50:38 UTC 2021


#11735: Unable to use S3 interface endpoints
---------------------+----------------------
 Reporter:  malaval  |         Owner:
     Type:  defect   |        Status:  new
 Priority:  normal   |     Milestone:
Component:  s3       |       Version:  7.9.2
 Severity:  normal   |    Resolution:
 Keywords:           |  Architecture:
 Platform:           |
---------------------+----------------------
Description changed by dkocher:

Old description:

> S3 interface endpoints enable to connect to Amazon S3 using a private IP
> address: https://docs.aws.amazon.com/AmazonS3/latest/userguide
> /privatelink-interface-endpoints.html
>
> I am unable to connect to Amazon S3 using the interface endpoint URL
> (e.g. vpce-0971cacd1f2xxxxxxxxx.s3.eu-west-1.vpce.amazonaws.com) as the
> server hostname. Cyberduck continously tries to authenticate (I see
> thousands of packets in Wireshark) and fails a few minutes later. The
> issue comes from how Cyberduck generates the SigV4 signature, because it
> considers that "vpce" is the region (e.g. HTTP header Authorization is
> "AWS4-HMAC-SHA256
> Credential=AKIASFI36Y5VXXXXXXX/20210702/vpce/s3/aws4_request" which
> fails).
>
> I think that two things should be corrected in Cyberduck:
> - Fetch the region differently from the server endpoint URL
> - Consider S3 interface endpoint URL as "special URL" and use this URL
> only (don't use dualstack or North Virginia as the default region to list
> existing S3 buckets)
>
> As a workaround, I was able to connect to a S3 interface endpoint by:
> - Resolving s3.eu-west-1.amazonaws.com to one of the private IP addresses
> of the interface endpoint (added an entry in the hosts file)
> - Applying the default parameters:
>
> {{{
> s3.bucket.virtualhost.disable=true
> s3.endpoint.dualstack.enable=false
> s3.endpoint.format.ipv4=s3.eu-west-1.amazonaws.com
> }}}
>

> However, it would be great if Cyberduck could natively support S3
> interface endpoints, without all these tricks.

New description:

 S3 interface endpoints enable to connect to Amazon S3 using a private IP
 address: https://docs.aws.amazon.com/AmazonS3/latest/userguide
 /privatelink-interface-endpoints.html

 I am unable to connect to Amazon S3 using the interface endpoint URL (e.g.
 vpce-0971cacd1f2xxxxxxxxx.s3.eu-west-1.vpce.amazonaws.com) as the server
 hostname. Cyberduck continously tries to authenticate (I see thousands of
 packets in Wireshark) and fails a few minutes later. The issue comes from
 how Cyberduck generates the SigV4 signature, because it considers that
 "vpce" is the region (e.g. HTTP header Authorization is `AWS4-HMAC-SHA256
 Credential=AKIASFI36Y5VXXXXXXX/20210702/vpce/s3/aws4_request` which
 fails).

 I think that two things should be corrected in Cyberduck:
 - Fetch the region differently from the server endpoint URL
 - Consider S3 interface endpoint URL as "special URL" and use this URL
 only (don't use dualstack or North Virginia as the default region to list
 existing S3 buckets)

 As a workaround, I was able to connect to a S3 interface endpoint by:
 - Resolving s3.eu-west-1.amazonaws.com to one of the private IP addresses
 of the interface endpoint (added an entry in the hosts file)
 - Applying the default parameters:

 {{{
 s3.bucket.virtualhost.disable=true
 s3.endpoint.dualstack.enable=false
 s3.endpoint.format.ipv4=s3.eu-west-1.amazonaws.com
 }}}


 However, it would be great if Cyberduck could natively support S3
 interface endpoints, without all these tricks.

--

--
Ticket URL: <https://trac.cyberduck.io/ticket/11735#comment:2>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows


More information about the Cyberduck-trac mailing list