Sharing S3 on Outposts by using AWS RAM
Amazon S3 on Outposts supports sharing S3 capacity across multiple accounts within an organization by using AWS Resource Access Manager (AWS RAM). With S3 on Outposts sharing, you can allow others to create and manage buckets, endpoints, and access points on your Outpost.
This topic demonstrates how to use AWS RAM to share S3 on Outposts and related resources with another AWS account in your AWS organization.
Prerequisites
-
The Outpost owner account has an organization configured in AWS Organizations. For more information, see Creating an organization in the AWS Organizations User Guide.
-
The organization includes the AWS account that you want to share your S3 on Outposts capacity with. For more information, see Sending invitations to AWS accounts in the AWS Organizations User Guide.
-
Select one of the following options that you want to share. The second resource (either Subnets or Outposts) must be selected so that endpoints are also accessible. Endpoints are a networking requirement in order to access data stored in S3 on Outposts.
Option 1 Option 2 S3 on Outposts
Allows the user to create buckets on your Outposts and access points and to add objects to those buckets.
Subnets
Allows the user to use your virtual private cloud (VPC) and the endpoints that are associated with your subnet.
S3 on Outposts
Allows the user to create buckets on your Outposts and access points and to add objects to those buckets.
Outposts
Allows the user to see S3 capacity charts and the AWS Outposts console home page. Also allows users to create subnets on shared Outposts and create endpoints.
Procedure
-
Sign in to the AWS Management Console by using the AWS account that owns the Outpost, and then open the AWS RAM console at https://console.aws.amazon.com/ram
. -
Make sure that you have enabled sharing with AWS Organizations in AWS RAM. For information, see Enable resource sharing within AWS Organizations in the AWS RAM User Guide.
-
Use either Option 1 or Option 2 in the prerequisites to create a resource share. If you have multiple S3 on Outposts resources, select the Amazon Resource Names (ARNs) of the resources that you want to share. To enable endpoints, share either your subnet or Outpost.
For more information about how to create a resource share, see Create a resource share in the AWS RAM User Guide.
-
The AWS account that you shared your resources with should now be able to use S3 on Outposts. Depending on the option that you selected in the prerequisites, provide the following information to the account user:
Option 1 Option 2 The Outpost ID
The VPC ID
The subnet ID
The security group ID
The Outpost ID
Note
The user can confirm that the resources have been shared with them by using the
AWS RAM console, the AWS Command Line Interface (AWS CLI), AWS SDKs, or REST API. The user can view
their existing resource shares by using the get-resource-shares
Usage examples
After you have shared your S3 on Outposts resources with another account, that account can manage buckets and objects on your Outpost. If you shared the Subnets resource, then that account can use the endpoint that you created. The following examples demonstrate how a user can use the AWS CLI to interact with your Outpost after you share these resources.
Example : Create a bucket
The following example creates a bucket named amzn-s3-demo-bucket1
on the Outpost
.
Before using this command, replace each op-01ac5d28a6a232904
with the appropriate values for your use
case.user input
placeholder
aws s3control create-bucket --bucket
--outpost-id
amzn-s3-demo-bucket1
op-01ac5d28a6a232904
For more information about this command, see create-bucket
Example : Create an access point
The following example creates an access point on an Outpost by using the example
parameters in the following table. Before using this command, replace these
values and
the AWS Region code with the appropriate values for your use case.user input placeholder
Parameter | Value |
---|---|
Account ID |
|
Access point name |
|
Outpost ID |
|
Outpost bucket name |
|
VPC ID |
|
Note
The Account ID parameter must be the AWS account ID of the bucket owner, which is the shared user.
aws s3control create-access-point --account-id
111122223333
--nameexample-outpost-access-point
\ --bucket arn:aws:s3-outposts:us-east-1
:111122223333
:outpost/op-01ac5d28a6a232904
/bucket/\ --vpc-configuration VpcId=
amzn-s3-demo-bucket1
vpc-1a2b3c4d5e6f7g8h9
For more information about this command, see create-access-point
Example : Upload an object
The following example uploads the file
from the user's local file
system to an object named
my_image.jpg
through the access
point images/my_image.jpg
on the
Outpost example-outpost-access-point
, owned by the
AWS account op-01ac5d28a6a232904
. Before
using this command, replace these 111122223333
values and the AWS Region code with the
appropriate values for your use case.user input
placeholder
aws s3api put-object --bucket arn:aws:s3-outposts:
us-east-1
:111122223333
:outpost/op-01ac5d28a6a232904
/accesspoint/example-outpost-access-point
\ --bodymy_image.jpg
--keyimages/my_image.jpg
For more information about this command, see put-object
Note
If this operation results in a Resource not found
error
or is unresponsive, your VPC might not have a shared endpoint.
To check whether there is a shared endpoint, use the list-shared-endpoints
Example : Create an endpoint
The following example creates an endpoint on a shared Outpost. Before using this
command, replace the
values for the Outpost ID, subnet ID, and security group ID with the appropriate
values for your use case.user input placeholder
Note
The user can perform this operation only if the resource share includes the Outposts resource.
aws s3outposts create-endpoint --outposts-id
op-01ac5d28a6a232904
--subnet-idXXXXXX
--security-group-idXXXXXXX
For more information about this command, see create-endpoint