Referencing access points with ARNs, access point aliases, or virtual-hosted–style URIs - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Referencing access points with ARNs, access point aliases, or virtual-hosted–style URIs

After you create an access point you can use these endpoints to preform a number of operations. When referring to an access point you can use the Amazon Resource Names (ARNs), access point alias, or virtual-hosted–style URI.

Access point ARNs

Access points have Amazon Resource Names (ARNs). Access point ARNs are similar to bucket ARNs, but they are explicitly typed and encode the access point's Amazon Web Services Region and the Amazon Web Services account ID of the access point's owner. For more information about ARNs, see Identify Amazon resources with Amazon Resource Names (ARNs) in the IAM User Guide.

Access point ARNs use the following format:

arn:aws-cn:s3:region:account-id:accesspoint/resource
  • arn:aws-cn:s3:us-west-2:123456789012:accesspoint/test represents the access point named test, owned by account 123456789012 in the Region us-west-2.

  • arn:aws-cn:s3:us-west-2:123456789012:accesspoint/* represents all access points under account 123456789012 in the Region us-west-2.

ARNs for objects accessed through an access point use the following format:

arn:aws-cn:s3:region:account-id:accesspoint/access-point-name/object/resource
  • arn:aws-cn:s3:us-west-2:123456789012:accesspoint/test/object/unit-01 represents the object unit-01, accessed through the access point named test, owned by account 123456789012 in the Region us-west-2.

  • arn:aws-cn:s3:us-west-2:123456789012:accesspoint/test/object/* represents all objects for the access point named test, in account 123456789012 in the Region us-west-2.

  • arn:aws-cn:s3:us-west-2:123456789012:accesspoint/test/object/unit-01/finance/* represents all objects under prefix unit-01/finance/ for the access point named test, in account 123456789012 in the Region us-west-2.

Access point aliases

When you create an access point, Amazon S3 automatically generates an alias that you can use instead of an Amazon S3 bucket name for data access. You can use this access point alias instead of an Amazon Resource Name (ARN) for access point data plane operations. For a list of these operations, see Access point compatibility.

An access point alias name is created within the same namespace as an Amazon S3 bucket. This alias name is automatically generated and cannot be changed. An access point alias name meets all the requirements of a valid Amazon S3 bucket name and consists of the following parts:

ACCESS POINT NAME-METADATA-s3alias (for access points attached to an Amazon S3 bucket)

ACCESS POINT NAME-METADATA-ext-s3alias (for access points attached to an non-S3 bucket data source)

Note

The -s3alias and -ext-s3alias suffixes are reserved for access point alias names and can't be used for bucket or access point names. For more information about Amazon S3 bucket-naming rules, see General purpose bucket naming rules.

Access points aliases use cases and limitations

When adopting access points, you can use access point alias names without requiring extensive code changes.

When you create an access point, Amazon S3 automatically generates an access point alias name, as shown in the following example. To run this command, replace the user input placeholders with your own information.

aws s3control create-access-point --bucket amzn-s3-demo-bucket1 --name my-access-point --account-id 111122223333 { "AccessPointArn": "arn:aws-cn:s3:region:111122223333:accesspoint/my-access-point", "Alias": "my-access-point-aqfqprnstn7aefdfbarligizwgyfouse1a-s3alias" }

You can use this access point alias name instead of an Amazon S3 bucket name in any data plane operation. For a list of these operations, see Access point compatibility.

The following Amazon CLI example for the get-object command uses the bucket's access point alias to return information about the specified object. To run this command, replace the user input placeholders with your own information.

aws s3api get-object --bucket my-access-point-aqfqprnstn7aefdfbarligizwgyfouse1a-s3alias --key dir/my_data.rtf my_data.rtf { "AcceptRanges": "bytes", "LastModified": "2020-01-08T22:16:28+00:00", "ContentLength": 910, "ETag": "\"00751974dc146b76404bb7290f8f51bb\"", "VersionId": "null", "ContentType": "text/rtf", "Metadata": {} }

Access point alias limitations

  • Aliases cannot be configured by customers.

  • Aliases cannot be deleted or modified or disabled on an access point.

  • You can use this access point alias name instead of an Amazon S3 bucket name in some data plane operations. For a list of these operations, see Access points compatibility with S3 operations.

  • You can't use an access point alias name for Amazon S3 control plane operations. For a list of Amazon S3 control plane operations, see Amazon S3 Control in the Amazon Simple Storage Service API Reference.

  • You can't use S3 access point aliases as the source or destination for Move operations in the Amazon S3 console.

  • Aliases cannot be used in Amazon Identity and Access Management (IAM) policies.

  • Aliases cannot be used as a logging destination for S3 server access logs.

  • Aliases cannot be used as a logging destination for Amazon CloudTrail logs.

  • Amazon SageMaker AI GroundTruth does not support access point aliases.

Virtual-hosted–style URI

Access points only support virtual-host-style addressing. In a virtual-hosted–style URI, the access point name, Amazon Web Services account, and Amazon Web Services Region is part of the domain name in the URL. For more information about virtual hosting, see Virtual hosting of general purpose buckets.

Virtual-hosted–style URI for access points use the following format:

https://access-point-name-account-id.s3-accesspoint.region.amazonaws.com
Note
  • If your access point name includes dash (-) characters, include the dashes in the URL and insert another dash before the account ID. For example, to use an access point named finance-docs owned by account 123456789012 in the Region us-west-2, the appropriate URL would be https://finance-docs-123456789012.s3-accesspoint.us-west-2.amazonaws.com.

  • S3 access points don't support access through HTTP. Access points support only secure access through HTTPS.