Using Multi-Region Access Points with supported API operations
Amazon S3 provides a set of operations to manage Multi-Region Access Points. Amazon S3 processes some of these operations synchronously and some asynchronously. When you invoke an asynchronous operation, Amazon S3 first synchronously authorizes the requested operation. If authorization is successful, Amazon S3 returns a token that you can use to track the progress and results of the requested operation.
Note
Requests that are made through the Amazon S3 console are always synchronous. The console waits until the request is completed before allowing you to submit another request.
You can view the current status and results of asynchronous operations by using the
console, or you can use DescribeMultiRegionAccessPointOperation
in the Amazon CLI,
Amazon SDKs, or REST API. Amazon S3 provides a tracking token in the response to an asynchronous
operation. You include that tracking token as an argument to
DescribeMultiRegionAccessPointOperation
. When you include the tracking
token, Amazon S3 then returns the current status and results of the specified operation,
including any errors or relevant resource information. Amazon S3 performs
DescribeMultiRegionAccessPointOperation
operations synchronously.
All control plane requests to create or maintain Multi-Region Access Points must be routed to the
US West (Oregon)
Region. For Multi-Region Access Point data plane requests, Regions don't need to be
specified. For the Multi-Region Access Point failover control plane, the request must be routed to one of the
five supported Regions. For more information about Multi-Region Access Point supported Regions, see Multi-Region Access Point restrictions and limitations.
In addition, you must grant the s3:ListAllMyBuckets
permission to the user,
role, or other Amazon Identity and Access Management (IAM) entity that makes a request to manage a Multi-Region Access Point.
The following examples demonstrate how to use Multi-Region Access Points with compatible operations in Amazon S3.
Topics
- Multi-Region Access Point compatibility with Amazon Web Services services and Amazon SDKs
- Multi-Region Access Point compatibility with S3 operations
- View your Multi-Region Access Point routing configuration
- Update your underlying Amazon S3 bucket policy
- Update a Multi-Region Access Point route configuration
- Add an object to a bucket in your Multi-Region Access Point
- Retrieve objects from your Multi-Region Access Point
- List objects that are stored in a bucket underlying your Multi-Region Access Point
- Use a presigned URL with Multi-Region Access Points
- Use a bucket that's configured with Requester Pays with Multi-Region Access Points
Multi-Region Access Point compatibility with Amazon Web Services services and Amazon SDKs
To use a Multi-Region Access Point with applications that require an Amazon S3 bucket name, use the Amazon Resource Name (ARN) of the Multi-Region Access Point when making requests by using an Amazon SDK. To check which Amazon SDKs are compatible with Multi-Region Access Points, see Compatibility with Amazon SDKs.
Multi-Region Access Point compatibility with S3 operations
You can use use the following Amazon S3 data plane API operations to perform actions on objects in buckets that are associated with your Multi-Region Access Point. The following S3 operations can accept Multi-Region Access Point ARNs:
Note
Multi-Region Access Points supports copy operations using Multi-Region Access Points only as a destination when using the Multi-Region Access Point ARN.
You can use the following Amazon S3 control plane operations to create and manage your Multi-Region Access Points:
View your Multi-Region Access Point routing configuration
Update your underlying Amazon S3 bucket policy
To grant proper access, you must also update the underlying Amazon S3 bucket policy. The following examples delegate access control to the Multi-Region Access Point policy. After you delegate access control to the Multi-Region Access Point policy, the bucket policy is no longer used for access control when requests are made through the Multi-Region Access Point.
Here's an example bucket policy that delegates access control to the Multi-Region Access Point policy. To
use this example bucket policy, replace the
with your own information. To apply this
policy through the Amazon CLI user input
placeholders
put-bucket-policy
command, as shown in the next
example, save the policy in a file, for example,
policy.json
.
{ "Version": "2012-10-17", "Statement": { "Principal": { "AWS": "*" }, "Effect": "Allow", "Action": ["s3:*"], "Resource": ["arn:aws-cn:s3:::
111122223333
/*", "arn:aws-cn:s3:::amzn-s3-demo-bucket
"], "Condition": { "StringEquals": { "s3:DataAccessPointAccount": "444455556666
" } } } }
The following put-bucket-policy
example command associates the updated S3
bucket policy with your S3 bucket:
aws s3api put-bucket-policy --bucket
amzn-s3-demo-bucket
--policy file:///tmp/policy.json
Update a Multi-Region Access Point route configuration
The following example command updates the Multi-Region Access Point route configuration. Multi-Region Access Point route commands can be run against the following five Regions:
-
ap-southeast-2
-
ap-northeast-1
-
us-east-1
-
us-west-2
-
eu-west-1
In a Multi-Region Access Point routing configuration, you can set buckets to an active or passive routing
status. Active buckets receive traffic, whereas passive buckets do not. You can set a
bucket's routing status by setting the TrafficDialPercentage
value for the
bucket to 100
for active or 0
for passive.
Add an object to a bucket in your Multi-Region Access Point
To add an object to the bucket that's associated with the Multi-Region Access Point, you can use the PutObject operation. To keep all buckets in the Multi-Region Access Point in sync, enable Cross-Region Replication.
Note
To use this operation, you must have the s3:PutObject
permission for
the Multi-Region Access Point. For more information about Multi-Region Access Point permission requirements, see Permissions.
Retrieve objects from your Multi-Region Access Point
To retrieve objects from the Multi-Region Access Point, you can use the GetObject operation.
Note
To use this API operation, you must have the s3:GetObject
permission
for the Multi-Region Access Point. For more information about Multi-Region Access Point permissions requirements, see
Permissions.
List objects that are stored in a bucket underlying your Multi-Region Access Point
To return a list of objects that are stored in a bucket underlying your Multi-Region Access Point, use the ListObjectsV2 operation. In the following example command, all objects for the specified Multi-Region Access Point are listed by using the ARN for the Multi-Region Access Point. In this case, the Multi-Region Access Point ARN is:
arn:aws-cn:s3::
123456789012
:accesspoint/abcdef0123456
.mrap
Note
To use this API operation, you must have the s3:ListBucket
permission
for the Multi-Region Access Point and the underlying bucket. For more information about Multi-Region Access Point
permissions requirements, see Permissions.
Use a presigned URL with Multi-Region Access Points
You can use a presigned URL to generate a URL that allows others to access your Amazon S3
buckets through an Amazon S3 Multi-Region Access Point. When you create a presigned URL, you associate it with a
specific object action, such as an S3 upload (PutObject
) or an S3 download
(GetObject
). You can share the presigned URL, and anyone with access to
it can perform the action embedded in the URL as if they were the original signing
user.
Presigned URLs have an expiration date. When the expiration time is reached, the URL will no longer work.
Before you use S3 Multi-Region Access Points with presigned URLs, check the Amazon SDK compatibility with the SigV4A algorithm. Verify that your SDK version supports SigV4A as the signing implementation that is used to sign the global Amazon Web Services Region requests. For more information about using presigned URLs with Amazon S3, see Sharing objects by using presigned URLs.
The following examples show how you can use Multi-Region Access Points with presigned URLs. To use these
examples, replace the
with your own information.user input placeholders
Note
To use SigV4A with temporary security credentials—for example, when using IAM
roles—make sure that you request the temporary credentials from a Regional endpoint
in Amazon Security Token Service (Amazon STS), instead of a global endpoint. If you use the global endpoint
for Amazon STS (sts.amazonaws.com.cn
), Amazon STS will generate temporary credentials
from a global endpoint, which isn't supported by Sig4A. As a result, you'll get an
error. To resolve this issue, use any of the listed Regional endpoints for Amazon STS.
Use a bucket that's configured with Requester Pays with Multi-Region Access Points
If an S3 bucket that is associated with your Multi-Region Access Points is configured to use
Requester Pays, the requester will pay for the
bucket
request, the download, and any Multi-Region Access Points related costs. For more
information, see Amazon S3
pricing
Here's an example of a data plane request to a Multi-Region Access Point that is connected to a Requester Pays bucket.