Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Troubleshooting S3 access point issues

This section describes symptoms, causes, and resolutions for when you encounter issues accessing your FSx data from S3 access points.

S3 access point creation failed due to file system user identity lookup failure

When creating and attaching an S3 Access Point, a FileSystemIdentity must be provided. You are responsible for configuring the provided UNIX or Windows user within ONTAP.

If a UnixUser is provided, ONTAP must be able to map the UnixUser name to UNIX UID/GIDs. ONTAP determines how to perform this mapping using the name service switch configuration.

> vserver services name-service ns-switch show

Vserver         Database       Order
--------------- ------------   ---------
svm_1           hosts          files,
                               dns
svm_1           group          files,
                               ldap
svm_1           passwd         files,
                               ldap
svm_1           netgroup       nis,
                               files

Please ensure your UnixUser has an entry in the passwd and group databases using a valid source (files,ldap, etc). The files source can be configured using the vserver services name-service unix-user and vserver services name-service unix-group commands. The ldap source can be configured using the vserver services name-service ldap command.

If a WindowsUser is provided, ONTAP must be able to find the WindowsUser name in the joined Active Directory domain.

To confirm if a provided UnixUser or WindowsUser is mapped correctly, using fsxadmin you can use the following command (replace -unix-user-name with -win-name for WindowsUsers):

> vserver services access-check authentication show-creds -node FsxId0fd48ff588b9d3eee-01 -vserver svm_name -unix-user-name root -show-partial-unix-creds true

Example successful output:

 UNIX UID: root

 GID: daemon
 Supplementary GIDs:
  daemon

Example unsuccessful output:

Error: Acquire UNIX credentials procedure failed
  [  2 ms] Entry for user-name: unmapped-user not found in the
           current source: FILES. Entry for user-name: unmapped-user
           not found in any of the available sources
**[     3] FAILURE: Unable to retrieve UID for UNIX user
**         unmapped-user

Error: command failed: Failed to resolve user name to a UNIX ID. Reason: "SecD Error: object not found".

An incorrect user mapping may result in Access Denied errors from S3.

The file system is unable to handle S3 requests

If the S3 request volume for a particular workload exceeds the file system’s capacity to handle the traffic, you may experience S3 request errors (for example, Internal Server Error, 503 Slow Down, and Service Unavailable). You can proactively monitor and alarm on the performance of your file system using Amazon CloudWatch metrics (for example, Network throughput utilization and CPU utilization). If you observe degraded performance, you can resolve this issue by increasing the file system's throughput capacity.

Access Denied with default S3 access point permissions for automatically created service roles

Some S3-integrated Amazon services will create a custom service role and customize the attached permissions to your specific usecase. When specifying your S3 access point alias as the S3 resource, those attached permissions may include your access point using a bucket ARN format (for example, arn:aws:s3:::my-fsx-ap-foo7detztxouyjpwtu8krroppxytruse1a-ext-s3alias) rather than the access point ARN format (for example, arn:aws:s3:us-east-1:1234567890:accesspoint/my-fsx-ap). To resolve this, modify the policy to use the ARN of the access point.