Cross Region S3 bucket policy
I would like to allow EC2 servers based in us-east-1 to read content from a bucket in us-west-2.
Every time I try I get a "The Bucket you are attempting to access must be addressed using the specified endpoint. Please send all future requests to this endpoint"
Is it actually possible to allow such thing, or are s3 buckets locked up to one region?
All buckets are reachable by using the s3.amazonaws.com endpoint. When you use this endpoint, if the bucket is in a non-Standard US region, then you will be redirected to the correct endpoint. This is the only region/endpoint where this trick works.
If the bucket is in the Standard US region, then you must use the s3.amazonaws.com endpoint. None of the other regional endpoints will work.
If you use the correct endpoint for your bucket, you can access the bucket from any region.
Please see http://docs.amazonwebservices.com/general/latest/gr/rande.html#s3_region for full S3 Region explainations.
Regarding VPCs, please note the following:
If you want to connect from a VPC in region A to a bucket in region B, it is not sufficient to connect an S3 endpoint to your VPC, as you can only access buckets from Region A via this endpoint. Instead, you would need to connect via the public internet to the bucket in region B from your VPC in region A.
See also https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints-s3.html
which states:
Endpoints currently do not support cross-region requests—ensure that you create your endpoint in the same region as your bucket.
And https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpce-gateway.html#vpc-endpoints-limitations
which states:
Endpoints are supported within the same region only. You cannot create an endpoint between a VPC and a service in a different region.