这是indexloc提供的服务,不要输入任何密码
Skip to content

Rclone cannot list or access files via S3 Access Point (cross-account), but AWS CLI works #8686

New issue
New issue
Open
Open
Rclone cannot list or access files via S3 Access Point (cross-account), but AWS CLI works#8686
Labels
Remote: S3enhancement
Milestone
v1.71
@msaavedra91

Description

@msaavedra91
msaavedra91
opened on Jul 14, 2025

The associated forum post URL from https://forum.rclone.org

https://forum.rclone.org/t/rclone-cannot-list-or-access-files-via-s3-access-point-cross-account-but-aws-cli-works/51913

What is the problem you are having with rclone?

rclone cannot list or access files via an S3 Access Point (cross-account). The same operation works with AWS CLI using the same credentials and Access Point ARN. The Access Point policy allows all required actions. rclone always returns "directory not found" or the buckets of the account where I am executing the command and not the ones from the account I want, even though files exist and are accessible via AWS CLI.

What is your rclone version (output from rclone version)

rclone v1.70.3
- os/version: Microsoft Windows Server 2022 Datacenter 21H2 21H2 (64 bit)
- os/kernel: 10.0.20348.3091 (x86_64)
- os/type: windows
- os/arch: amd64
- go/version: go1.24.4
- go/linking: static
- go/tags: cmount

Which OS you are using and how many bits (e.g. Windows 7, 64 bit)

Microsoft Windows Server 2022 Datacenter 21H2 21H2 (64 bit)

Which cloud storage system are you using? (e.g. Google Drive)

Amazon S3 (via S3 Access Point, cross-account)

My config

[originals-aoc-1-full]
type = s3
provider = AWS
env_auth = true
region = us-west-2
location_constraint = us-west-2
endpoint = https://originals-aoc1-full-access-2222222222.s3-accesspoint.us-west-2.amazonaws.com
s3_use_arn_region = true
s3_force_path_style = false
server_side_encryption = AES256
storage_class = STANDARD

[originals-aoc-1-restricted]
type = s3
provider = AWS
env_auth = true
region = us-west-2
endpoint = https://originals-aoc1-restricted-access-2222222222.s3-accesspoint.us-west-2.amazonaws.com
no_check_bucket = true
no_head = true
server_side_encryption = AES256
storage_class = STANDARD

The command you were trying to run (e.g. rclone copy /tmp remote:tmp)

From my account 11111111111 (where my server is) trying to connect to the bucket from 222222222222

rclone ls originals-aoc-1-restricted:PROJECT_DELETE/ --config="C:\temp\rclone-test\rclone-test.conf" -vv

or

rclone lsd originals-aoc-1-full: --config "C:\Program Files\rclone\rclone.conf" -vv --dump headers

A log from the command with the -vv flag (e.g. output from rclone -vv copy /tmp remote:tmp)

2025/07/10 03:08:19 DEBUG : rclone: Version "v1.69.0" starting with parameters ["C:\\Windows\\system32\\rclone.exe" "ls" "originals-aoc-1-restricted:PROJECT_DELETE/" "--config=C:\\temp\\rclone-test\\rclone-test.conf" "-vv"]
2025/07/10 03:08:19 DEBUG : Creating backend with remote "originals-aoc-1-restricted:PROJECT_DELETE/"
2025/07/10 03:08:19 DEBUG : Using config file from "C:\\temp\\rclone-test\\rclone-test.conf"
2025/07/10 03:08:19 DEBUG : fs cache: renaming cache item "originals-aoc-1-restricted:PROJECT_DELETE/" to be canonical "originals-aoc-1-restricted:PROJECT_DELETE"
2025/07/10 03:08:19 DEBUG : 3 go routines active
2025/07/10 03:08:19 NOTICE: Failed to ls: directory not found

or

2025/07/10 15:45:14 NOTICE: Automatically setting -vv as --dump is enabled
2025/07/10 15:45:14 DEBUG : rclone: Version "v1.70.3" starting with parameters ["C:\\Windows\\system32\\rclone.exe" "lsd" "--config=C:\\temp\\rclone-test\\rclone-test.conf" "originals-aoc-1-restricted:" "-vv" "--dump=headers"]
2025/07/10 15:45:14 DEBUG : Creating backend with remote "originals-aoc-1-restricted:"
2025/07/10 15:45:14 DEBUG : Using config file from "C:\\temp\\rclone-test\\rclone-test.conf"
2025/07/10 15:45:14 DEBUG : You have specified to dump information. Please be noted that the Accept-Encoding as shown may not be correct in the request and the response may not show Content-Encoding if the go standard libraries auto gzip encoding was in effect. In this case the body of the request will be gunzipped before showing it.
2025/07/10 15:45:14 DEBUG : You have specified to dump information. Please be noted that the Accept-Encoding as shown may not be correct in the request and the response may not show Content-Encoding if the go standard libraries auto gzip encoding was in effect. In this case the body of the request will be gunzipped before showing it.
2025/07/10 15:45:14 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2025/07/10 15:45:14 DEBUG : HTTP REQUEST (req 0xc0002feb40)
2025/07/10 15:45:14 DEBUG : GET /?x-id=ListBuckets HTTP/1.1
Host: originals-aoc1-restricted-access-2222222222.s3-accesspoint.us-west-2.amazonaws.com
User-Agent: rclone/v1.70.3
Accept-Encoding: identity
Amz-Sdk-Invocation-Id: 07bc1605-d524-444e-8f5a-65b40911a685
Amz-Sdk-Request: attempt=1; max=10
Authorization: XXXX
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20250710T154514Z
X-Amz-Security-Token: IQoJb3JpZ2luX2VjELj//////////wEaCXVzLXdlc3QtMiJHMEUCIArQXJHPHc/PKk0wTvDLNd4W+vzGy1b8aZtHWy+WnoyfAiEAvpTDzH+tp9sDytVd7DGSqubsYgGeHtUFtkQq1h9XWBQqxQUIwf//////////ARAAGgwwNTQwMzcxMzk0MDAiDOuSAByT5eyViqrFwyqZBfGRm1wSf5dJXHQ4fSQbPPwOKMmm2F4YBqxkwdcQ7g/k53fRM2NOyBnWbp9w/gm4pLk2rgUol6pl7y0edzyA8JIhknDFFwNiV5ugvANDU/VpRXXnHxwbybywQ9vjtzd1fam9ym1BBo77FCkFh8nTzrRHyF2KKWnY/amwXPAC/GGfaR/nOBcqDabn9eg7Lh3rraZCggrLB9habxV86+WQrpdaqMCmub4Ux5zHW+PhsSZJY4fTIM0CHcLp4iV1or1Q/Bu4WaUJ5qV13F6rRYMZpwiR0yznlL05lrRsWxhmNmFgLo06m/rE0uqglpQ6i3HcVZyF0XK4Shpvg79x8DGudAEcH5AU3BrEB/seUz2I8MQIIacPTyj4OQmmr9D1dDxelhDaZ0PoHUUHfdLzIpSE0gb1RtyUEhedL8EfpzRIxvfGL1gHRYmUBhBOFKbLO06BrnUUsL6w3qa6QzURthvLruw7ZiQNE+/gN6StEf5FCBOgD2hqTHKyMLLkjTRR2dfOZe/w9936xZVUtgMPwlPUJtSblzH2vDTBzASH4MeCCZymlSLmIUfGE28bVXtCvZF2agGnHrjq18UMBrfdtVJ/hzb2VpwLdH1rMQYlmCzJWqH5H3IvwYzC3HVKVerrjz1Nj4F0zrQYDkmjKPAJNx9eGBCAq+Srae43xHsGaEsN8Pq5z8BpZY8QDUIMhHL7lkcVTK31RM2BE8tIdi8Qh15xAvIuBT5Qi7Fha6QBhmN7EdwWR/LDtDFYf4KraQ7C2yhfr6GgnTHYuNUViXROOxzG1J19c5TsbMBLfB3oEc9dNJj7ngz3pWPdnwwnqVWvrRdQjQoXXqBpHW2y0kIoZwkd0XT3PDhMTy19p4/o3i+6iMrgyV1F3ze0GHckMOq7v8MGOrEBqmHXqlljKkX0HmwTmSwDRr7xMJPuJpwsSpoXQ9I1vuoNE1S4XFKkkKpQFFHpsDqurcfa4Q/odN6JghNDRXf87tA8Ndin62Ur4lQsxmktYb99hA4kXGNe9rLijcFra8OGAnXelymQh8FiQWr56K/APAjLo96/4o8nHf30o67WvgqHKlqxYbVHOtLLBfkBq3V6APOFSH81Yyp0iXCju4CEoe0ci/C8OuoNqa50aHp0MxQd

2025/07/10 15:45:14 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2025/07/10 15:45:14 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2025/07/10 15:45:14 DEBUG : HTTP RESPONSE (req 0xc0002feb40)
2025/07/10 15:45:14 DEBUG : HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: application/xml
Date: Thu, 10 Jul 2025 15:45:15 GMT
Server: AmazonS3
X-Amz-Bucket-Region: us-west-2
X-Amz-Id-2: 3i5P6F+wYhSPdhL5g4tlVIvydMqy5DRqh53fR/2y8PELYUwx3M6Ec+MXlR9+70am4atnXQmgvTk=
X-Amz-Request-Id: 59VD8JHJ1FM95A49

2025/07/10 15:45:14 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2025/07/10 15:45:14 DEBUG : 4 go routines active

GET /?x-id=ListBuckets HTTP/1.1
Host: originals-aoc1-full-access-222222222222.s3-accesspoint.us-west-2.amazonaws.com

AWS responds 200 OK, but returns the buckets in the server account (which is not what I need. I need the buckets from 222222222222).

I guess rclone just tries ListBuckets against the access point hostname, which is unsupported by AWS S3 access points

How to use GitHub

  • Please use the 👍 reaction to show that you are affected by the same issue.
  • Please don't comment if you have no relevant information to add. It's just extra noise for everyone subscribed to this issue.
  • Subscribe to receive notifications on status change and new comments.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Remote: S3enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions