[Cyberduck-trac] [Cyberduck] #11735: Unable to use S3 interface endpoints
Cyberduck
trac at cyberduck.io
Sun Jul 18 21:50:38 UTC 2021
#11735: Unable to use S3 interface endpoints
---------------------+----------------------
Reporter: malaval | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: s3 | Version: 7.9.2
Severity: normal | Resolution:
Keywords: | Architecture:
Platform: |
---------------------+----------------------
Description changed by dkocher:
Old description:
> S3 interface endpoints enable to connect to Amazon S3 using a private IP
> address: https://docs.aws.amazon.com/AmazonS3/latest/userguide
> /privatelink-interface-endpoints.html
>
> I am unable to connect to Amazon S3 using the interface endpoint URL
> (e.g. vpce-0971cacd1f2xxxxxxxxx.s3.eu-west-1.vpce.amazonaws.com) as the
> server hostname. Cyberduck continously tries to authenticate (I see
> thousands of packets in Wireshark) and fails a few minutes later. The
> issue comes from how Cyberduck generates the SigV4 signature, because it
> considers that "vpce" is the region (e.g. HTTP header Authorization is
> "AWS4-HMAC-SHA256
> Credential=AKIASFI36Y5VXXXXXXX/20210702/vpce/s3/aws4_request" which
> fails).
>
> I think that two things should be corrected in Cyberduck:
> - Fetch the region differently from the server endpoint URL
> - Consider S3 interface endpoint URL as "special URL" and use this URL
> only (don't use dualstack or North Virginia as the default region to list
> existing S3 buckets)
>
> As a workaround, I was able to connect to a S3 interface endpoint by:
> - Resolving s3.eu-west-1.amazonaws.com to one of the private IP addresses
> of the interface endpoint (added an entry in the hosts file)
> - Applying the default parameters:
>
> {{{
> s3.bucket.virtualhost.disable=true
> s3.endpoint.dualstack.enable=false
> s3.endpoint.format.ipv4=s3.eu-west-1.amazonaws.com
> }}}
>
> However, it would be great if Cyberduck could natively support S3
> interface endpoints, without all these tricks.
New description:
S3 interface endpoints enable to connect to Amazon S3 using a private IP
address: https://docs.aws.amazon.com/AmazonS3/latest/userguide
/privatelink-interface-endpoints.html
I am unable to connect to Amazon S3 using the interface endpoint URL (e.g.
vpce-0971cacd1f2xxxxxxxxx.s3.eu-west-1.vpce.amazonaws.com) as the server
hostname. Cyberduck continously tries to authenticate (I see thousands of
packets in Wireshark) and fails a few minutes later. The issue comes from
how Cyberduck generates the SigV4 signature, because it considers that
"vpce" is the region (e.g. HTTP header Authorization is `AWS4-HMAC-SHA256
Credential=AKIASFI36Y5VXXXXXXX/20210702/vpce/s3/aws4_request` which
fails).
I think that two things should be corrected in Cyberduck:
- Fetch the region differently from the server endpoint URL
- Consider S3 interface endpoint URL as "special URL" and use this URL
only (don't use dualstack or North Virginia as the default region to list
existing S3 buckets)
As a workaround, I was able to connect to a S3 interface endpoint by:
- Resolving s3.eu-west-1.amazonaws.com to one of the private IP addresses
of the interface endpoint (added an entry in the hosts file)
- Applying the default parameters:
{{{
s3.bucket.virtualhost.disable=true
s3.endpoint.dualstack.enable=false
s3.endpoint.format.ipv4=s3.eu-west-1.amazonaws.com
}}}
However, it would be great if Cyberduck could natively support S3
interface endpoints, without all these tricks.
--
--
Ticket URL: <https://trac.cyberduck.io/ticket/11735#comment:2>
Cyberduck <https://cyberduck.io>
Libre FTP, SFTP, WebDAV, S3 & OpenStack Swift browser for Mac and Windows
More information about the Cyberduck-trac
mailing list