Skip to content

docs: Example policy for VPC endpoint needs Allow statement; S3 endpoint should be type 'Gateway' #1197

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

docs: Example policy for VPC endpoint needs Allow statement; S3 endpoint should be type 'Gateway' #1197

wants to merge 1 commit into from

Conversation

alexmbird
Copy link

Description

I've been troubleshooting a problem with an EKS cluster running in a VPC created by terraform-aws-vpc. Most of my setup was cribbed from your complete example. Attempts to pull images from ECR in the same region were consistently denied while those in other regions worked fine.

AWS Support managed to identify the problem. It was that ECR endpoints created using the generic_endpoint_policy from the example lack any Allow statement to permit access. Allow statements aren't implicit in IAM policies so this defaulted to denying all requests.

Calls to ECR in the same region therefore failed. Ones to ECR in other regions went out via my NAT gateway instead of using the local endpoint, so confusingly they still worked fine.

The PR fixes the issue by adding the missing Allow statement. AWS support have also advised me S3 endpoints should typically be set as type Gateway, so I've modified the example to do this too.

Motivation and Context

It solves the problem of ECR images failing to pull via VPC endpoints created following the example bundled with terraform-aws-vpc.

Breaking Changes

No

How Has This Been Tested?

Please describe how you tested your changes

  • Running on my own environment
  • I have executed pre-commit run -a on my pull request

@alexmbird alexmbird changed the title Example policy for VPC endpoint needs Allow statement; S3 endpoint should be type 'Gateway' docs: Example policy for VPC endpoint needs Allow statement; S3 endpoint should be type 'Gateway' Jun 9, 2025
@github-actions GitHub Actions
Copy link

This PR has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this PR will be closed in 10 days

@github-actions github-actions bot added the stale label Jul 10, 2025
@fintrac-alex-hewson
Copy link

Definitely not stale. @antonbabenko could you or another maintainer take a look?

@github-actions github-actions bot removed the stale label Jul 11, 2025
longwave
longwave reviewed Aug 7, 2025
View reviewed changes
examples/complete/main.tf
private_dns_only_for_inbound_resolver_endpoint = false
}
tags = { Name = "s3-vpc-endpoint" }
type = "Gateway"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I found this PR when trying to figure out how to set an S3 gateway endpoint, but I think the option key here is service_type, not type:

Suggested change
type = "Gateway"
service_type = "Gateway"

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This actually fixed my problem and unblocked me.. and worked!

I had tried endpoint_type and vpc_endpoint_type to no avail, really appreciate your comment here!

@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 7, 2025

This PR has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this PR will be closed in 10 days

@github-actions github-actions bot added stale and removed stale labels Sep 7, 2025
@github-actions GitHub Actions
Copy link

This PR has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this PR will be closed in 10 days

@github-actions github-actions bot added the stale label Oct 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@longwave longwave longwave left review comments

@marwave64 marwave64 marwave64 left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@alexmbird @fintrac-alex-hewson @longwave @marwave64