Sharing S3 on Outposts by using AWS RAM - Amazon S3 on Outposts

Sharing S3 on Outposts by using AWS RAM

Amazon S3 on Outposts supports sharing S3 capacity across multiple accounts within an organization by using AWS Resource Access Manager (AWS RAM). With S3 on Outposts sharing, you can allow others to create and manage buckets, endpoints, and access points on your Outpost.

This topic demonstrates how to use AWS RAM to share S3 on Outposts and related resources with another AWS account in your AWS organization.

Prerequisites

  • The Outpost owner account has an organization configured in AWS Organizations. For more information, see Creating an organization in the AWS Organizations User Guide.

  • The organization includes the AWS account that you want to share your S3 on Outposts capacity with. For more information, see Sending invitations to AWS accounts in the AWS Organizations User Guide.

  • Select one of the following options that you want to share. The second resource (either Subnets or Outposts) must be selected so that endpoints are also accessible. Endpoints are a networking requirement in order to access data stored in S3 on Outposts.

    Option 1 Option 2

    S3 on Outposts

    Allows the user to create buckets on your Outposts and access points and to add objects to those buckets.

    Subnets

    Allows the user to use your virtual private cloud (VPC) and the endpoints that are associated with your subnet.

    S3 on Outposts

    Allows the user to create buckets on your Outposts and access points and to add objects to those buckets.

    Outposts

    Allows the user to see S3 capacity charts and the AWS Outposts console home page. Also allows users to create subnets on shared Outposts and create endpoints.

Procedure

  1. Sign in to the AWS Management Console by using the AWS account that owns the Outpost, and then open the AWS RAM console at https://console.aws.amazon.com/ram.

  2. Make sure that you have enabled sharing with AWS Organizations in AWS RAM. For information, see Enable resource sharing within AWS Organizations in the AWS RAM User Guide.

  3. Use either Option 1 or Option 2 in the prerequisites to create a resource share. If you have multiple S3 on Outposts resources, select the Amazon Resource Names (ARNs) of the resources that you want to share. To enable endpoints, share either your subnet or Outpost.

    For more information about how to create a resource share, see Create a resource share in the AWS RAM User Guide.

  4. The AWS account that you shared your resources with should now be able to use S3 on Outposts. Depending on the option that you selected in the prerequisites, provide the following information to the account user:

    Option 1 Option 2

    The Outpost ID

    The VPC ID

    The subnet ID

    The security group ID

    The Outpost ID

Note

The user can confirm that the resources have been shared with them by using the AWS RAM console, the AWS Command Line Interface (AWS CLI), AWS SDKs, or REST API. The user can view their existing resource shares by using the get-resource-shares CLI command.

Usage examples

After you have shared your S3 on Outposts resources with another account, that account can manage buckets and objects on your Outpost. If you shared the Subnets resource, then that account can use the endpoint that you created. The following examples demonstrate how a user can use the AWS CLI to interact with your Outpost after you share these resources.

Example : Create a bucket

The following example creates a bucket named amzn-s3-demo-bucket1 on the Outpost op-01ac5d28a6a232904. Before using this command, replace each user input placeholder with the appropriate values for your use case.

aws s3control create-bucket --bucket amzn-s3-demo-bucket1 --outpost-id op-01ac5d28a6a232904

For more information about this command, see create-bucket in the AWS CLI Reference.

Example : Create an access point

The following example creates an access point on an Outpost by using the example parameters in the following table. Before using this command, replace these user input placeholder values and the AWS Region code with the appropriate values for your use case.

Parameter Value
Account ID 111122223333
Access point name example-outpost-access-point
Outpost ID op-01ac5d28a6a232904
Outpost bucket name amzn-s3-demo-bucket1
VPC ID vpc-1a2b3c4d5e6f7g8h9
Note

The Account ID parameter must be the AWS account ID of the bucket owner, which is the shared user.

aws s3control create-access-point --account-id 111122223333 --name example-outpost-access-point \ --bucket arn:aws:s3-outposts:us-east-1:111122223333:outpost/op-01ac5d28a6a232904/bucket/amzn-s3-demo-bucket1 \ --vpc-configuration VpcId=vpc-1a2b3c4d5e6f7g8h9

For more information about this command, see create-access-point in the AWS CLI Reference.

Example : Upload an object

The following example uploads the file my_image.jpg from the user's local file system to an object named images/my_image.jpg through the access point example-outpost-access-point on the Outpost op-01ac5d28a6a232904, owned by the AWS account 111122223333. Before using this command, replace these user input placeholder values and the AWS Region code with the appropriate values for your use case.

aws s3api put-object --bucket arn:aws:s3-outposts:us-east-1:111122223333:outpost/op-01ac5d28a6a232904/accesspoint/example-outpost-access-point \ --body my_image.jpg --key images/my_image.jpg

For more information about this command, see put-object in the AWS CLI Reference.

Note

If this operation results in a Resource not found error or is unresponsive, your VPC might not have a shared endpoint.

To check whether there is a shared endpoint, use the list-shared-endpoints AWS CLI command. If there is no shared endpoint, work with the Outpost owner to create one. For more information, see ListSharedEndpoints in the Amazon Simple Storage Service API Reference.

Example : Create an endpoint

The following example creates an endpoint on a shared Outpost. Before using this command, replace the user input placeholder values for the Outpost ID, subnet ID, and security group ID with the appropriate values for your use case.

Note

The user can perform this operation only if the resource share includes the Outposts resource.

aws s3outposts create-endpoint --outposts-id op-01ac5d28a6a232904 --subnet-id XXXXXX --security-group-id XXXXXXX

For more information about this command, see create-endpoint in the AWS CLI Reference.