Update S3 repository docs to reflect AWS upgrade

nicktindall · nicktindall · commit 135503a0a065 · 2025-05-26T10:25:59.000+10:00
(Backport of elastic/docs-content#1356)
diff --git a/docs/reference/snapshot-restore/repository-s3.asciidoc b/docs/reference/snapshot-restore/repository-s3.asciidoc
@@ -105,6 +105,11 @@ The following list contains the available client settings. Those that must be
 stored in the keystore are marked as "secure" and are *reloadable*; the other
 settings belong in the `elasticsearch.yml` file.
 
+`region`::
+    Specifies the region to use. When set, determines the signing region and regional endpoint to use, unless the endpoint
+    is overridden via the `endpoint` setting. If not set, {es} will attempt to determine the region automatically using
+    the AWS SDK.
+
 `access_key` ({ref}/secure-settings.html[Secure], {ref}/secure-settings.html#reloadable-secure-settings[reloadable])::
 
     An S3 access key. If set, the `secret_key` setting must also be specified.
@@ -121,22 +126,23 @@ settings belong in the `elasticsearch.yml` file.
 
 `endpoint`::
 
-    The S3 service endpoint to connect to. This defaults to `s3.amazonaws.com`
-    but the
-    https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region[AWS
-    documentation] lists alternative S3 endpoints. If you are using an
-    <<repository-s3-compatible-services,S3-compatible service>> then you should
-    set this to the service's endpoint.
+    The S3 service endpoint to connect to. This defaults to the regional endpoint corresponding to the configured `region`,
+    but the [AWS documentation](https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region) lists alternative S3
+    endpoints. If you are using an [S3-compatible service](#repository-s3-compatible-services) then you should set this
+    to the service’s endpoint. The endpoint should specify the protocol and host name,
+    e.g. `https://s3.ap-southeast-4.amazonaws.com`, `http://minio.local:9000`.
+
+    When using HTTPS, this repository type validates the repository’s certificate chain using the JVM-wide truststore.
+    Ensure that the root certificate authority is in this truststore using the JVM’s `keytool` tool. If you have a custom
+    certificate authority for your S3 repository and you use the {es} [bundled JDK](../../deploy/self-managed/installing-elasticsearch.md#jvm-version),
+    then you will need to reinstall your CA certificate every time you upgrade {es}.
+
 
 `protocol`::
 
-    The protocol to use to connect to S3. Valid values are either `http` or
-    `https`. Defaults to `https`. When using HTTPS, this repository type validates the
-    repository's certificate chain using the JVM-wide truststore. Ensure that
-    the root certificate authority is in this truststore using the JVM's
-    `keytool` tool. If you have a custom certificate authority for your S3 repository
-    and you use the {es} <<jvm-version,bundled JDK>>, then you will need to reinstall your
-    CA certificate every time you upgrade {es}.
+    The protocol to use to connect to S3. Valid values are either `http` or `https`. Defaults to `https`. Note that this
+    setting is deprecated since 8.19 and is only used if `endpoint` is set to a URL that does not include a scheme.
+    Users should migrate to including the scheme in the `endpoint` setting.
 
 `proxy.host`::
 
@@ -175,11 +181,6 @@ settings belong in the `elasticsearch.yml` file.
     The number of retries to use when an S3 request fails. The default value is
     `3`.
 
-`use_throttle_retries`::
-
-    Whether retries should be throttled (i.e. should back off). Must be `true`
-    or `false`. Defaults to `true`.
-
 `path_style_access`::
 
    Whether to force the use of the path style access pattern. If `true`, the
@@ -205,23 +206,6 @@ pattern then you should set this setting to `true` when upgrading.
     https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/services/s3/AmazonS3Builder.html#disableChunkedEncoding--[AWS
     Java SDK documentation] for details. Defaults to `false`.
 
-`region`::
-
-    Allows specifying the signing region to use. Specificing this setting manually should not be necessary for most use cases. Generally,
-    the SDK will correctly guess the signing region to use. It should be considered an expert level setting to support S3-compatible APIs
-    that require https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html[v4 signatures] and use a region other than the
-    default `us-east-1`. Defaults to empty string which means that the SDK will try to automatically determine the correct signing region.
-
-`signer_override`::
-
-    Allows specifying the name of the signature algorithm to use for signing requests by the S3 client. Specifying this setting should not
-    be necessary for most use cases. It should be considered an expert level setting to support S3-compatible APIs that do not support the
-    signing algorithm that the SDK automatically determines for them.
-    See the
-    https://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/ClientConfiguration.html#setSignerOverride-java.lang.String-[AWS
-    Java SDK documentation] for details. Defaults to empty string which means that no signing algorithm override will be used.
-
-
 [[repository-s3-repository]]
 ==== Repository settings
 
