How can I troubleshoot the "Could not connect to the endpoint URL" error when I run the sync command on my Amazon S3 bucket?

Last updated: 2020-09-18

I'm trying to run the cp or sync command on my Amazon Simple Storage Service (Amazon S3) bucket. However, I'm getting the "Could not connect to the endpoint URL" error message. How can I troubleshoot this?

Short description

To run the cp or sync commands using the AWS Command Line Interface (AWS CLI), your machine must be able to connect to the correct Amazon S3 endpoints. Otherwise, you get the "Could not connect to the endpoint URL" error message.

To troubleshoot this error, check the following:

  • Confirm that you're using the correct AWS Region and Amazon S3 endpoint. 
  • Verify that your network can connect to those Amazon S3 endpoints.
  • Verify that your DNS can resolve to those Amazon S3 endpoints.
  • If you're seeing this error on an Amazon Elastic Compute Cloud (Amazon EC2) instance, then check the Amazon Virtual Private Cloud (Amazon VPC) configuration.

Resolution

Confirm that you're using the correct AWS Region and Amazon S3 endpoint

When you run a command using the AWS CLI, API requests are sent to the default AWS Region's S3 endpoint, or to a Region-specific S3 endpoint when Region is specified in the command. Then, the AWS CLI can redirect the request to the bucket's Regional S3 endpoint.

You can get the "Could not connect to the endpoint URL" error if there's a typo or error in the Region or the endpoint associated with the command. 

For example, the following command results in the error because there's an extra "e" in the endpoint name:

aws s3 cp filename s3://DOC-EXAMPLE-BUCKET/ --endpoint-url https://s3-acceleratee.amazonaws.com

Before you run the cp or sync command, be sure to confirm that the associated Region and S3 endpoint are written correctly. 

Note: If you're using Amazon S3 Transfer Acceleration, see Getting started with Amazon S3 Transfer Acceleration for the endpoint name. 

Verify that your network can connect to the S3 endpoints

Confirm that your network's firewall allows traffic to the Amazon S3 endpoints on the port that you're using for Amazon S3 traffic.

For example, the following telnet command tests the connection to the ap-southeast-2 Regional S3 endpoint on port 443: 

Note: Be sure to replace the Regional endpoint and the port (443 or 80) with the values associated with your use case.

telnet s3.ap-southeast-2.amazonaws.com 443

Verify that your DNS can resolve to the S3 endpoints

To confirm that your DNS can resolve to the Amazon S3 endpoints, you can use a DNS query tool like nslookup or ping. The following example uses nslookup:

nslookup s3.amazonaws.com

The following example uses ping to confirm that the DNS resolves to the S3 endpoint:

ping s3.amazonaws.com

If your DNS can't resolve to the S3 endpoints, then you must troubleshoot your DNS configuration. If Amazon Route 53 is your DNS provider, then see Troubleshooting Amazon Route 53

If you're seeing this error on an EC2 instance, check the VPC configuration

If the EC2 instance is in a public subnet:

If the EC2 instance is in a private subnet:

  • Check if there is a network address translation (NAT) gateway associated with the route table of the subnet. The NAT gateway provisions an internet path to reach the Amazon S3 endpoint.
  • If you're using a VPC endpoint for Amazon S3, then verify that the correct Region is set in the AWS CLI config file. VPC endpoints for Amazon S3 are Region-specific. For example, if the VPC and VPC endpoint are in the us-east-1 Region, and you run a sync command with the parameter --region us-west-1, then the AWS CLI tries to contact https://s3.us-west-1.amazonaws.com. This results in the "Could not connect to the endpoint URL" error.

Did this article help?


Do you need billing or technical support?