Skip to content

Fix S3 Control operations for S3 Express Directory Buckets #44471

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Fix S3 Control operations for S3 Express Directory Buckets #44471

wants to merge 4 commits into from
+249 −53

Conversation

christophersherman
Copy link

@christophersherman christophersherman commented Sep 28, 2025
edited
Loading

Description

Fixes S3 Express Directory Bucket operations that were failing with 403 Forbidden errors due to incorrect API endpoint routing across all S3 Control resources.

Problem: When performing operations on S3 Directory Bucket resources (access points, policies, lifecycle configurations), the provider was incorrectly routing requests to the standard S3 Control API endpoint (s3-control.amazonaws.com) instead of the required endpoints for Directory Buckets. This particularly affected tagging operations which require the S3 Express Control API endpoint (s3express-control.region.amazonaws.com).

Error encountered:

Error: listing tags for S3 (Simple Storage) Directory Bucket operation error 
S3 Control: ListTagsForResource, https response error StatusCode: 403, 
RequestID: ..., api error UnknownError: UnknownError

Despite having the correct IAM permissions (s3express:ListTagsForResource), and also (s3:ListTagsForResource) operations failed because requests were sent to the wrong API endpoint.

Solution:

  • Added S3ExpressControlClient() method to AWSClient that uses the correct s3express-control.region.amazonaws.com endpoint for Directory Bucket tagging operations
  • Updated all S3 Control resource operations to properly handle Directory Bucket ARNs (containing :s3express:)
  • For tagging operations: routes to the specialized S3 Express Control endpoint
  • For other operations: leverages AWS SDK's automatic endpoint routing based on ARN format
  • Added comprehensive unit tests for ARN detection logic

References

Testing

Usually I would test in my personal AWS account, but directory buckets are awkward resources. Happy to test in work environment if additional testing output is required.

% go test -v ./internal/service/s3control -run TestIsDirectoryBucketARN

=== RUN   TestIsDirectoryBucketARN
=== RUN   TestIsDirectoryBucketARN/Standard_S3_bucket_ARN
=== RUN   TestIsDirectoryBucketARN/S3_Control_Access_Point_ARN
=== RUN   TestIsDirectoryBucketARN/Directory_Bucket_ARN_(S3_Express)
=== RUN   TestIsDirectoryBucketARN/Directory_Bucket_Access_Point_ARN
=== RUN   TestIsDirectoryBucketARN/Empty_ARN
=== RUN   TestIsDirectoryBucketARN/Invalid_ARN_format
--- PASS: TestIsDirectoryBucketARN (0.00s)
    --- PASS: TestIsDirectoryBucketARN/Standard_S3_bucket_ARN (0.00s)
    --- PASS: TestIsDirectoryBucketARN/S3_Control_Access_Point_ARN (0.00s)
    --- PASS: TestIsDirectoryBucketARN/Directory_Bucket_ARN_(S3_Express) (0.00s)
    --- PASS: TestIsDirectoryBucketARN/Directory_Bucket_Access_Point_ARN (0.00s)
    --- PASS: TestIsDirectoryBucketARN/Empty_ARN (0.00s)
    --- PASS: TestIsDirectoryBucketARN/Invalid_ARN_format (0.00s)
PASS
ok      github.com/hashicorp/terraform-provider-aws/internal/service/s3control  6.573s

@christophersherman christophersherman requested a review from a team as a code owner September 28, 2025 00:48
@github-actions GitHub Actions
Copy link
Contributor

Community Guidelines

This comment is added to every new Pull Request to provide quick reference to how the Terraform AWS Provider is maintained. Please review the information below, and thank you for contributing to the community that keeps the provider thriving! 🚀

Voting for Prioritization

  • Please vote on this Pull Request by adding a 👍 reaction to the original post to help the community and maintainers prioritize it.
  • Please see our prioritization guide for additional information on how the maintainers handle prioritization.
  • Please do not leave +1 or other comments that do not add relevant new information or questions; they generate extra noise for others following the Pull Request and do not help prioritize the request.

Pull Request Authors

  • Review the contribution guide relating to the type of change you are making to ensure all of the necessary steps have been taken.
  • Whether or not the branch has been rebased will not impact prioritization, but doing so is always a welcome surprise.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Sep 28, 2025
edited
Loading

✅ Thank you for correcting the previously detected issues! The maintainers appreciate your efforts to make the review process as smooth as possible.

@github-actions github-actions bot added needs-triage Waiting for first response or review from a maintainer. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure. service/s3control Issues and PRs that pertain to the s3control service. tags Pertains to resource tagging. client-connections Pertains to the AWS Client and service connections. generators Relates to code generators. size/M Managed by automation to categorize the size of a PR. labels Sep 28, 2025
@christophersherman christophersherman force-pushed the fix-s3express-directory-bucket-tagging branch from 8f31bc4 to 0ad814f Compare September 28, 2025 02:42
@github-actions github-actions bot added the size/L Managed by automation to categorize the size of a PR. label Sep 28, 2025
@christophersherman
Copy link
Author

I might as well add support for all the other s3 control operations

@justinretzolk justinretzolk added bug Addresses a defect in current functionality. and removed needs-triage Waiting for first response or review from a maintainer. labels Sep 29, 2025
@github-actions github-actions bot added the size/XL Managed by automation to categorize the size of a PR. label Sep 29, 2025
@christophersherman christophersherman changed the title Fix S3 Express Directory Bucket tagging API routing Fix S3 Control operations for S3 Express Directory Buckets Sep 29, 2025
@christophersherman
Copy link
Author

Friendly bump

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. client-connections Pertains to the AWS Client and service connections. generators Relates to code generators. service/s3control Issues and PRs that pertain to the s3control service. size/L Managed by automation to categorize the size of a PR. size/M Managed by automation to categorize the size of a PR. size/XL Managed by automation to categorize the size of a PR. tags Pertains to resource tagging. tests PRs: expanded test coverage. Issues: expanded coverage, enhancements to test infrastructure.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@christophersherman @justinretzolk