Making requests through a Multi-Region Access Point - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Making requests through a Multi-Region Access Point

Like other resources, Amazon S3 Multi-Region Access Points have Amazon Resource Names (ARNs). You can use these ARNs to direct requests to Multi-Region Access Points by using the Amazon SDKs. You can also use these ARNs to identify Multi-Region Access Points in access control policies. A Multi-Region Access Point ARN doesn't include or disclose its name. For more information about ARNs, see Amazon Resource Names (ARNs) in the Amazon General Reference.

Multi-Region Access Point ARNs use the following format:

arn:aws-cn:s3::account-id:accesspoint/MultiRegionAccessPoint_alias

The following are a few examples of Multi-Region Access Point ARNs:

  • arn:aws-cn:s3::123456789012:accesspoint/mfzwi23gnjvgw.mrap represents the Multi-Region Access Point with the alias mfzwi23gnjvgw.mrap, owned by Amazon account 123456789012.

  • arn:aws-cn:s3::123456789012:accesspoint/* represents all Multi-Region Access Points under the account 123456789012. This ARN matches all Multi-Region Access Points for account 123456789012, but doesn't match any Regional access points because the ARN doesn’t include an Amazon Region. In contrast, the ARN arn:aws-cn:s3:us-west-2:123456789012:accesspoint/* matches all Regional access points in the Region us-west-2 for the account 123456789012, but doesn't match any Multi-Region Access Points.

ARNs for objects that are accessed through a Multi-Region Access Point use the following format:

arn:aws-cn:s3::account_id:accesspoint/MultiRegionAccessPoint_alias/object/key

As with Multi-Region Access Point ARNs, the ARNs for objects that are accessed through Multi-Region Access Points don't include an Amazon Web Services Region. Here are some examples.

  • arn:aws-cn:s3::123456789012:accesspoint/mfzwi23gnjvgw.mrap/object/unit-01 represents the object unit-01, accessed through the Multi-Region Access Point with the alias mfzwi23gnjvgw.mrap, which is owned by account 123456789012.

  • arn:aws-cn:s3::123456789012:accesspoint/mfzwi23gnjvgw.mrap/object/* represents all objects that can be accessed through the Multi-Region Access Point with the alias mfzwi23gnjvgw.mrap, in account 123456789012.

  • arn:aws-cn:s3::123456789012:accesspoint/mfzwi23gnjvgw.mrap/object/unit-01/finance/* represents all objects that can be accessed under the prefix unit-01/finance/ for the Multi-Region Access Point with the alias mfzwi23gnjvgw.mrap, in account 123456789012.

Multi-Region Access Point hostnames

You can access data in Amazon S3 through a Multi-Region Access Point by using the hostname of the Multi-Region Access Point. Requests can be directed to this hostname from the public internet. If you have configured one or more internet gateways for the Multi-Region Access Point, requests can also be directed to this hostname from a virtual private cloud (VPC). For more information about creating VPC interface endpoints to use with Multi-Region Access Points, see Configuring a Multi-Region Access Point for use with Amazon PrivateLink.

To make requests through a Multi-Region Access Point from a VPC using a by VPC endpoint, you can use Amazon PrivateLink. When you're making requests to a Multi-Region Access Point by using Amazon PrivateLink, you cannot directly use an endpoint-specific Regional DNS that ends with region.vpce.amazonaws.com.cn. This hostname will not have a certificate associated with it, so it cannot be used directly. You can still use the public DNS name of the VPC endpoint as a CNAME or ALIAS target. Alternatively, you can enable private DNS on the endpoint and use the standard Multi-Region Access Point MultiRegionAccessPoint_alias.accesspoint.s3-global.amazonaws.com.cn DNS names, as described in this section.

When you use the REST APIs for Amazon S3 data operations (for example, GetObject) through a Multi-Region Access Point, the hostname for the request is as follows:

MultiRegionAccessPoint_alias.accesspoint.s3-global.amazonaws.com.cn

For example, to make a GetObject request through the Multi-Region Access Point with the alias mfzwi23gnjvgw.mrap, make a request to the hostname mfzwi23gnjvgw.mrap.accesspoint.s3-global.amazonaws.com.cn. The s3-global portion of the hostname indicates that this hostname is not for a specific Region.

Making requests through a Multi-Region Access Point is similar to making requests through a single-Region access point. However, it's important to be aware of the following differences:

  • Multi-Region Access Point ARNs don't include an Amazon Web Services Region. They follow the format arn:aws-cn:s3::account-id:accesspoint/MultiRegionAccessPoint_alias.

  • For requests made through the REST APIs (these requests do not require the use of an ARN), Multi-Region Access Points use a different endpoint scheme. The scheme is MultiRegionAccessPoint_alias.accesspoint.s3-global.amazonaws.com.cn—for example, mfzwi23gnjvgw.mrap.accesspoint.s3-global.amazonaws.com.cn. Note the differences compared to a single-Region access point:

    • Multi-Region Access Point hostnames use their alias, not the Multi-Region Access Point name.

    • Multi-Region Access Point hostnames don't include the owner's Amazon Web Services account ID.

    • Multi-Region Access Point hostnames don't include an Amazon Web Services Region.

    • Multi-Region Access Point hostnames include s3-global.amazonaws.com.cn instead of s3.amazonaws.com.cn.

  • Multi-Region Access Point requests must be signed by using Signature Version 4A (SigV4A). When you use the Amazon SDK, the SDK automatically converts a SigV4 signature to SigV4A. Therefore, verify that your Amazon SDK version supports SigV4A as the signing implementation that is used to sign the global Amazon Web Services Region requests. with the SigV4A algorithm. For more information about SigV4A, see Signing Amazon API requests in the Amazon General Reference.

Multi-Region Access Points and Amazon S3 Transfer Acceleration

Amazon S3 Transfer Acceleration is a feature that enables fast transfer of data to buckets. Transfer Acceleration is configured on the individual bucket level. For more information about Transfer Acceleration, see Configuring fast, secure file transfers using Amazon S3 Transfer Acceleration.

Multi-Region Access Points use a similar accelerated transfer mechanism as Transfer Acceleration for sending large objects over the Amazon network. Because of this, you don't need to use Transfer Acceleration when sending requests through a Multi-Region Access Point. This increased transfer performance is automatically incorporated into the Multi-Region Access Point.