How do I troubleshoot a connection error when I run the “cp” or “sync” commands on my Amazon S3 bucket?

4 minute read
0

I want to run the “cp” or “sync” command on my Amazon Simple Storage Service (Amazon S3) bucket. However, I get an error.

Short description

To run the cp or sync commands on the AWS Command Line Interface (AWS CLI), your machine must connect to the correct Amazon S3 endpoints. Otherwise, you get an error with a message that the service can't connect to the endpoint URL, or the connection timed out. Depending on your error, following the relevant troubleshooting steps:

"Could not connect to the endpoint URL" error

  • Confirm that you have the correct AWS Region and Amazon S3 endpoint.
  • Verify that your DNS can resolve to the S3 endpoints.

"Connect timeout on endpoint URL" error:

  • Verify that your network can connect to the S3 endpoints.
  • For an Amazon Elastic Compute Cloud (Amazon EC2) instance, check the virtual private cloud (VPC) configuration.

Note: If you receive errors when running AWS CLI commands, make sure that you're using the most recent AWS CLI version.

Resolution

Confirm that you have the correct AWS Region and Amazon S3 endpoint

When you run a command in the AWS CLI, it sends API requests to the default AWS Region's S3 endpoint. Or, when you specify a Region, it sends an API request to a Region-specific S3 endpoint. Then, the AWS CLI redirects the request to the bucket's Regional S3 endpoint.

You might get the "Could not connect to the endpoint URL" error if there's a typo or error in the specified Region or endpoint. For example, the following command returns the error because there's an extra e in the endpoint name:

aws s3 cp filename s3://DOC-EXAMPLE-BUCKET/ --endpoint-url https://s3-acceleratee.amazonaws.com

Before you run the cp or sync command, confirm that the associated Region and S3 endpoint are correct.

Note: If you use Amazon S3 Transfer Acceleration, then see Configuring fast, secure file transfers using Amazon S3 Transfer Acceleration for the endpoint name.

Verify that your DNS can resolve to the S3 endpoints

To confirm that your DNS can resolve to the Amazon S3 endpoints, use a DNS query tool, such as nslookup or ping. The following example uses nslookup:

nslookup s3.amazonaws.com

The following example uses ping to confirm that the DNS resolves to the S3 endpoint:

ping s3.amazonaws.com

If your DNS can't resolve to the S3 endpoints, then troubleshoot your DNS configuration. If Amazon Route 53 is your DNS provider, then see Troubleshooting Amazon Route 53.

Verify that your network can connect to the S3 endpoints

Confirm that your network's firewall allows traffic to the Amazon S3 endpoints on the port that you use for Amazon S3 traffic.

For example, the following telnet command tests the connection to the ap-southeast-2 Regional S3 endpoint on port 443:

telnet s3.ap-southeast-2.amazonaws.com 443

Note: Replace the Regional endpoint and the port (443 or 80) with the values for your use case.

For an EC2 instance, check the VPC configuration

If you see this error on an EC2 instance, then check your VPC configuration. If the EC2 instance is in a public subnet, then check the following conditions:

If the EC2 instance is in a private subnet, then check the following conditions:

  • Check if there's a network address translation (NAT) gateway that's associated with the route table of the subnet. The NAT gateway provisions an internet path to reach the S3 endpoint.
  • If you use a VPC endpoint for Amazon S3, then verify that the AWS CLI config file has the correct Region. VPC endpoints for Amazon S3 are Region specific. If you run a sync command with --region us-west-1 when the VPC endpoint is in a different Region, then the CLI contacts https://s3.us-west-1.amazonaws.com. As a result, you receive the "Could not connect to the endpoint URL" error.
AWS OFFICIAL
AWS OFFICIALUpdated 7 months ago