Why can't I see my VPC endpoint service in the verified services list when I'm creating an interface VPC endpoint?

Last updated: 2022-04-08

I’m using Amazon Virtual Private Cloud (Amazon VPC) to create an interface VPC endpoint. However, I can't find the VPC endpoint service in the verified services section of the VPC endpoint services console from other accounts. How can I resolve this?

Short description

Service consumers can connect to your AWS PrivateLink-powered services (VPC endpoint services) from another VPC using an interface VPC endpoint. Service consumers are Identity and Access Management principals. Service consumers can be IAM users, IAM roles, or AWS accounts.

If you can't find the endpoint service when creating the interface VPC endpoint, make sure that the service endpoint provider account lists the service consumer account or user ARN under Allowed principals.

ARNs appear in the following formats:

  • An AWS account (and all principals in the account): arn:aws:iam::aws-account-id:root.
  • A specific IAM user: arn:aws:iam::aws-account-id:user/user-name.
  • A specific IAM role: arn:aws:iam::aws-account-id:role/role-name.

Resolution

  1. Open Endpoint services in the VPC console.
  2. Choose the endpoint service.
  3. Select Actions, Allow principals.
  4. Verify that you can see the service consumer's ARN in Allowed principals. If the service consumer's ARN isn't listed, then select Allow principal.
  5. Enter the ARN of the service consumer account as arn:aws:iam::consumer_account_number:root in the ARN field, and then select Allow principals.

For more information, see Add or remove permissions for your endpoint service.