How to create pre-signed S3 object URL and access it via VPC endpoint

Question

I have a service that generates a pre-signed URL for S3 objects accessible via the internet.

I am trying to figure out how to generate a similar pre-signed URL while using a VPC endpoint to the bucket/object to limit the traffic to only that endpoint's local network.

How can this be done?

I can access from CLI, but cannot get the pre-signed URL for an object to work (over the VPC endpoint)...

aws s3 --region us-west-2 --endpoint-url https://bucket.vpce-xxxxxxxxx-xxxxxxx.s3.us-west-2.vpce.amazonaws.com ls s3://bucket_name/

above works, so the vpc endpoint is functioning. How do I need to create the pre-signed URL to utilize it and not the public internet networking?

So, let's say the pre-signed URL is: https://tl-vpc-endpoint-test.s3.us-west-2.amazonaws.com/test1.zip?.....

What does it need to be to utilize the VPC endpoint?

Answer 1

You can generate your vpc endpoint presigned url like this:

aws s3 --endpoint-url https://bucket.vpce-xxxxxxxxx-xxxxxxx.s3.us-west-2.vpce.amazonaws.com presign s3://awsexamplebucket/test2.txt

Then you will get something like this:

https://bucket.vpce-xxxxxxxxx-xxxxxxx.s3.us-west-2.vpce.amazonaws.com/awsexamplebucket/test2.txt?.......