aws secretsmanager get-secret-value --secret-id ${secretId} --profile ${customProfile}
the above fails without the --region option but the below works without the region option
aws s3api get-bucket-encryption --bucket ${s3Bucket} --profile ${customProfile}
Wondering what would be the explanation for the above. One plausible explanation is that the failure is because s3 bucket names are globally unique and didn’t need more specificity of region.
2
Answers
S3 bucket names are globally unique, secret names are not.
If you look at the arn of a secret, you’ll see it includes the account ID and region, which makes the arn globally unique.
The arn of an S3 bucket only includes the prefix
arn:aws:s3and the bucket name.S3 bucket names are globally unique. S3 buckets are, however, regional resources.
When your client makes an API request to the S3 service, regardless of which region your API request hits (as long as it’s in the same AWS partition), the S3 service redirects your client to the relevant region-specific endpoint for the bucket. S3 does this by responding to the original request with an HTTP 301 redirect to the correct regional endpoint.
If your requests to a specific bucket happen in the first 24 hours of the bucket’s existence then those HTTP redirects might actually be 307 temporary redirects.