Reputation: 711
AWS CLI: aws s3 presign does not work for ap-east-1 (Hong Kong) region ("location constraint is incompatible for the region specific endpoint")
I keep on failing to use signed URLs for S3 objects residing in a bucket in the ap-east-1 (Hong Kong) AWS region.
Specifically, I first set the signature version to V4 (see https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version) like so:
aws configure set default.s3.signature_version s3v4
And then create a signed URL with this command:
aws s3 presign --region=ap-east-1 s3://<name of bucket in ap-east-1 region>/<object name>
When I test the resulting URL:
curl -i "https://<bucket name>.s3.amazonaws.com/<object name>?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=...%2Fap-east-1%2Fs3%2Faws4_request&X-Amz-Date=20190928T034534Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=..."
...I get an HTTP/400 response with the body set to:
<?xml version="1.0" encoding="UTF-8"?>
<Error>
<Code>IllegalLocationConstraintException</Code>
<Message>The ap-east-1 location constraint is incompatible for the region specific endpoint this request was sent to.
</Message>
<RequestId>...</RequestId>
<HostId>
Interestingly, when doing the same for an object in another bucket that resides in the us-west-2 (Oregon) AWS region, the resulting signed URL works fine.
Has anyone run into this problem? I don't quite know how to parse the error message, but I do wonder if I need to set the --endpoint-url configuration setting and if so, to what?
Ideas anyone?
Thanks, Soeren
Upvotes: 2
Views: 8078
Answers (1)
Reputation: 2257
You need to set the addressing style in your CLI configuration for this to work. See AWS CLI S3 Configuration documentation for details.
Set of steps:
aws configure set default.s3.addressing_style virtual
aws s3 presign s3://<bucket-in-ap-east-1>/<object_key> --region ap-east-1
Equivalent code in Python
import boto3
def generate_presigned_url(bucket_region, bucket_name, object_key, expiration):
s3_client = boto3.client('s3', region_name=bucket_region, config=boto3.session.Config(s3={'addressing_style': 'virtual'}, signature_version='s3v4'))
response = s3_client.generate_presigned_url('get_object', Params={'Bucket': bucket_name, 'Key': object_key}, ExpiresIn=expiration)
return response
Usage
generate_presigned_url('ap-east-1', bucket_name, object_name, expiration)
Sample output
Upvotes: 4
Related Questions
- InvalidLocationConstraint error while creating S3 bucket when the used command is
- AWS Java SDK - Unable to find a region via the region provider chain
- Provided region_name 'US East (Ohio) us-east-2' doesn't match a supported format
- AWS S3 - how to enable regional endpoints for regions other than us-east-1?
- AWS JAVA SDK error "The bucket is in this region: us-east-1. Please use this region to"
- Unable to find a region via the region provider chain error when getting AmazonS3
- CloudFormation StackSet S3 Error: the region 'us-east-1' is wrong; expecting 'ap-southeast-1'
- Setting AWS S3 Region
- Cannot create Amazon S3 Bucket in specified region
- Amazon S3 - set Region to EU using Java AWS SDK