By default, accessing S3 resources from any instance or Kubernetes pod within a VPC involves outbound traffic via NAT or IGW. Not only this is less efficient, it also incurs a service fee due to the traffic. The cost can be significant if traffic is huge.<\/p>\n\n\n\n
To keep the traffic within VPC, an S3 accesspoint for the specific S3 resources and a VPC endpoint can be created by following the general instruction<\/a>.<\/p>\n\n\n\n After that, double check the policies at two places.<\/p>\n\n\n\n Go to AWS Console<\/strong> \u2192 IAM <\/strong>\u2192 User<\/strong>. It is supposed to be a service account that has following policy attached<\/p>\n\n\n\n Go to AWS Console<\/strong> \u2192 VPC <\/strong>\u2192 Endpoints <\/strong>\u2192 the endpoint<\/strong> \u2192 Policy<\/strong><\/p>\n\n\n\n After all, run Follow the troubleshooting steps<\/a> if anything does not work.<\/p>\n\n\n\n Now we have both S3 access point and the VPC endpoint for S3 setup.<\/p>\n\n\n\n To access the S3 resource within VPC, instead of using Some 3rd party library built for AWS S3 might not recognize the S3 access point URL and throw exceptions like<\/p>\n\n\n\n1. Policy for IAM<\/h5>\n\n\n\n
{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"VisualEditor0\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"s3:ReplicateObject\",\n \"s3:PutObject\",\n \"s3:GetObject\",\n \"s3:ListBucket\",\n \"s3:DeleteObject\"\n ],\n \"Resource\": \"*\"\n }\n ]\n}<\/code><\/pre>\n\n\n\nAs a security best practice, DO NOT grant
Allow<\/code> to all actions, i.e. \"Action\": [\"*\"]<\/code>.<\/pre>\n\n\n\n2. Policy for the endpoint<\/h5>\n\n\n\n
{\n \"Version\": \"2012-10-17\",\n \"Id\": \"Policy1637977229005\",\n \"Statement\": [\n {\n \"Sid\": \"Stmt1637977226759\",\n \"Effect\": \"Allow\",\n \"Principal\": \"*\",\n \"Action\": \"s3:*\",\n \"Resource\": \"*\"\n }\n ]\n}<\/code><\/pre>\n\n\n\nThis endpoint policy is less constrained than the policy for user, because want the policy for user to be more specific.<\/pre>\n\n\n\n
traceroute s3.ap-southeast-1.amazonaws.com<\/code> from any of the instances within the VPC to verify.<\/p>\n\n\n\n$ traceroute s3.ap-southeast-1.amazonaws.com\ntraceroute to s3.ap-southeast-1.amazonaws.com (52.219.129.42), 30 hops max, 60 byte packets\n 1 * * *\n 2 * * *\n 3 * * *\n ...\n28 * * *\n29 * * *\n30 * * *<\/pre>\n\n\n\n
$ traceroute s3.ap-southeast-1.amazonaws.com\ntraceroute to s3.ap-southeast-1.amazonaws.com (52.219.40.74), 30 hops max, 60 byte packets\n 1 ec2-175-41-128-191.ap-southeast-1.compute.amazonaws.com (175.41.128.191) 42.290 ms ec2-175-41-128-195.ap-southeast-1.compute.amazonaws.com (175.41.128.195) 3.103 ms ec2-18-141-171-23.ap-southeast-1.compute.amazonaws.com (18.141.171.23) 36.088 ms\n 2 100.65.32.176 (100.65.32.176) 1.149 ms 100.65.32.160 (100.65.32.160) 1.132 ms 100.65.33.144 (100.65.33.144) 4.671 ms\n 3 100.66.16.248 (100.66.16.248) 3.400 ms 100.66.16.26 (100.66.16.26) 8.787 ms 100.66.16.244 (100.66.16.244) 4.695 ms\n 4 100.66.19.122 (100.66.19.122) 3.511 ms 100.66.19.204 (100.66.19.204) 17.491 ms 100.66.18.104 (100.66.18.104) 18.193 ms\n 5 100.66.3.241 (100.66.3.241) 15.377 ms 100.66.3.137 (100.66.3.137) 154.101 ms 100.66.3.61 (100.66.3.61) 19.897 ms\n 6 100.66.0.135 (100.66.0.135) 10.907 ms 100.66.0.165 (100.66.0.165) 9.064 ms 100.66.0.201 (100.66.0.201) 11.826 ms\n 7 100.65.2.41 (100.65.2.41) 3.090 ms 100.65.3.41 (100.65.3.41) 2.821 ms 100.65.2.41 (100.65.2.41) 2.648 ms\n 8 s3-ap-southeast-1.amazonaws.com (52.219.40.74) 0.518 ms 0.569 ms 0.578 ms<\/pre>\n\n\n\n
Usage<\/h2>\n\n\n\n
s3:\/\/<bucket name><\/code> directly, use<\/p>\n\n\n\ns3:\/\/arn:aws:s3:ap-southeast-1:<account number>:accesspoint\/<bucket name><\/code><\/pre>\n\n\n\nCaused by: java.lang.NullPointerException: null uri host.\n at java.util.Objects.requireNonNull(Objects.java:228)\n at org.apache.hadoop.fs.s3native.S3xLoginHelper.buildFSURI(S3xLoginHelper.java:71)\n at org.apache.hadoop.fs.s3a.S3AFileSystem.setUri(S3AFileSystem.java:486)\n at org.apache.hadoop.fs.s3a.S3AFileSystem.initialize(S3AFileSystem.java:246)\n at org.apache.flink.fs.s3.common.AbstractS3FileSystemFactory.create(AbstractS3FileSystemFactory.java:123)\n ... 24 more<\/code><\/pre>\n\n\n\n