How can I troubleshoot the "Could not connect to the endpoint URL" error when I run the sync command on my Amazon S3 bucket?
Last updated: 2020-09-18
I'm trying to run the cp or sync command on my Amazon Simple Storage Service (Amazon S3) bucket. However, I'm getting the "Could not connect to the endpoint URL" error message. How can I troubleshoot this?
To run the cp or sync commands using the AWS Command Line Interface (AWS CLI), your machine must be able to connect to the correct Amazon S3 endpoints. Otherwise, you get the "Could not connect to the endpoint URL" error message.
To troubleshoot this error, check the following:
- Confirm that you're using the correct AWS Region and Amazon S3 endpoint.
- Verify that your network can connect to those Amazon S3 endpoints.
- Verify that your DNS can resolve to those Amazon S3 endpoints.
- If you're seeing this error on an Amazon Elastic Compute Cloud (Amazon EC2) instance, then check the Amazon Virtual Private Cloud (Amazon VPC) configuration.
Confirm that you're using the correct AWS Region and Amazon S3 endpoint
When you run a command using the AWS CLI, API requests are sent to the default AWS Region's S3 endpoint, or to a Region-specific S3 endpoint when Region is specified in the command. Then, the AWS CLI can redirect the request to the bucket's Regional S3 endpoint.
You can get the "Could not connect to the endpoint URL" error if there's a typo or error in the Region or the endpoint associated with the command.
For example, the following command results in the error because there's an extra "e" in the endpoint name:
aws s3 cp filename s3://DOC-EXAMPLE-BUCKET/ --endpoint-url https://s3-acceleratee.amazonaws.com
Note: If you're using Amazon S3 Transfer Acceleration, see Getting started with Amazon S3 Transfer Acceleration for the endpoint name.
Verify that your network can connect to the S3 endpoints
Confirm that your network's firewall allows traffic to the Amazon S3 endpoints on the port that you're using for Amazon S3 traffic.
For example, the following telnet command tests the connection to the ap-southeast-2 Regional S3 endpoint on port 443:
Note: Be sure to replace the Regional endpoint and the port (443 or 80) with the values associated with your use case.
telnet s3.ap-southeast-2.amazonaws.com 443
Verify that your DNS can resolve to the S3 endpoints
To confirm that your DNS can resolve to the Amazon S3 endpoints, you can use a DNS query tool like nslookup or ping. The following example uses nslookup:
The following example uses ping to confirm that the DNS resolves to the S3 endpoint:
If your DNS can't resolve to the S3 endpoints, then you must troubleshoot your DNS configuration. If Amazon Route 53 is your DNS provider, then see Troubleshooting Amazon Route 53.
If you're seeing this error on an EC2 instance, check the VPC configuration
If the EC2 instance is in a public subnet:
- Check the network access control list (ACL) of the Amazon VPC that your instance is in. In the network ACL, check the outbound rule for port 443. If the outbound rule is DENY, then change it to ALLOW.
- If the network ACL restricts access to only a specific region of Amazon S3 IP address ranges, then be sure that the default AWS Region set in the config file of the AWS CLI is the correct Region.
If the EC2 instance is in a private subnet:
- Check if there is a network address translation (NAT) gateway associated with the route table of the subnet. The NAT gateway provisions an internet path to reach the Amazon S3 endpoint.
- If you're using a VPC endpoint for Amazon S3, then verify that the correct Region is set in the AWS CLI config file. VPC endpoints for Amazon S3 are Region-specific. For example, if the VPC and VPC endpoint are in the us-east-1 Region, and you run a sync command with the parameter --region us-west-1, then the AWS CLI tries to contact https://s3.us-west-1.amazonaws.com. This results in the "Could not connect to the endpoint URL" error.