Hi, We try to configure our application to use Amazon S3 as Filesystem and we want to use a specific endpoint. In our Mendix Console, we have configure in Configuration > Advanced ... : com.mendix.core.StorageService : com.mendix.storage.s3 com.mendix.storage.s3.BucketName : our_filesystem_bucket com.mendix.storage.s3.EndPoint : https://bucket.vpce-0e6264dedcf01353d-p7unbmmz.s3.eu-central-1.vpce.amazonaws.com com.mendix.storage.s3.SecretAccessKey : our_secret com.mendix.storage.s3.AccessKeyId : our_id At the initialization of the application, we get following logs : "... Endpoint set to: https://bucket.vpce-0e6264dedcf01353d-p7unbmmz.s3.eu-central-1.vpce.amazonaws.com ... Waiting for configured storage service: com.mendix.storage.s3Storage service: S3 storage, bucket location: our_filesystem_bucket ..." Our S3 user is configured with the following policy : { "Statement": [ { "Action": [ "s3:PutObject", "s3:GetObject", "s3:ListBucket", "s3:DeleteObject" ], "Condition": { "StringEquals": { "aws:SourceVpce": [ "vpce-0e6264dedcf01353d" ] } }, "Effect": "Allow", "Resource": [ "arn:aws:s3:::our_filesystem_bucket/*", "arn:aws:s3:::our_filesystem_bucket" ], "Sid": "Terraform" } ], "Version": "2012-10-17" } Our mendix console is also configured to use a proxy : In other JVM argument :Dhttps.proxyHost=our-proxy-server -Dhttps.proxyPort=8080 -Dhttp.proxyHost=our-proxy-server -Dhttp.proxyPort=8080 But when we try to upload a file, we get the error Uploading file failed: User: arn:aws:iam::148728400771:user/our_user is not authorized to perform: s3:PutObject on resource: "arn:aws:s3:::our_filesystem_bucket/98b627ae-4370-4d32-9202-5291d0b3e8cc" because no identity-based policy allows the s3:PutObject action (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 9W89NDAHF4PT7ZR0; S3 Extended Request ID: eH4iS+7hYHoQ0uKT5oc5WrjwE09FWQHm3zaNLd0TEruNxdNXbMb6DZBNgrFTaOgOgi2g0P2qdTw=; Proxy: our-proxy-server) [User 'USER' with session id '95ee8b64-XXXX-XXXX-XXXX-XXXXXXXX4437' and roles 'FileTransfer'] -------- com.amazonaws.services.s3.model.AmazonS3Exception: User: arn:aws:iam::148728400771:user/our_user is not authorized to perform: s3:PutObject on resource: "arn:aws:s3:::our_filesystem_bucket/98b627ae-4370-4d32-9202-5291d0b3e8cc" because no identity-based policy allows the s3:PutObject action (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 9W89NDAHF4PT7ZR0; S3 Extended Request ID: eH4iS+7hYHoQ0uKT5oc5WrjwE09FWQHm3zaNLd0TEruNxdNXbMb6DZBNgrFTaOgOgi2g0P2qdTw=; Proxy: our-proxy-server)at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1879)at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleServiceErrorResponse(AmazonHttpClient.java:1418)at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1387)at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1157)at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:814)at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:781)at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:755)at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:715)at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:697)at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:561)at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:541)at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:5456)at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:5403)at com.amazonaws.services.s3.AmazonS3Client.access$300(AmazonS3Client.java:421)at com.amazonaws.services.s3.AmazonS3Client$PutObjectStrategy.invokeServiceCall(AmazonS3Client.java:6532)at com.amazonaws.services.s3.AmazonS3Client.uploadObject(AmazonS3Client.java:1861)at com.amazonaws.services.s3.AmazonS3Client.putObject(AmazonS3Client.java:1821)at com.amazonaws.services.s3.AmazonS3Client.putObject(AmazonS3Client.java:1753)at com.mendix.storage.s3.internal.AmazonS3StorageService.singlePartUpload(AmazonS3StorageService.scala:154)at com.mendix.storage.s3.internal.AmazonS3StorageService.$anonfun$doStore$1(AmazonS3StorageService.scala:89)at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.scala:18)at com.mendix.storage.s3.internal.AmazonS3StorageService.wrapException(AmazonS3StorageService.scala:198)at com.mendix.storage.s3.internal.AmazonS3StorageService.doStore(AmazonS3StorageService.scala:84)at com.mendix.storage.AbstractStorageService.store(AbstractStorageService.scala:23)at com.mendix.storage.AbstractStorageService.store(AbstractStorageService.scala:16)at com.mendix.filedocumentprocessor.internal.FileDocumentProcessorImpl.writeContent(FileDocumentProcessorImpl.scala:201)at com.mendix.filedocumentprocessor.internal.FileDocumentProcessorImpl.storeFileDocument(FileDocumentProcessorImpl.scala:66)at com.mendix.basis.component.FileDocumentCore.storeFileDocumentContent(FileDocumentCore.scala:32)at com.mendix.basis.component.FileDocumentCore.storeFileDocumentContent$(FileDocumentCore.scala:27)at com.mendix.basis.component.InternalCore.storeFileDocumentContent(InternalCore.scala:24)at com.mendix.webui.requesthandling.FileUploadHelper.$anonfun$doUpload$2(FileUploadHelper.scala:149)at scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.scala:18)at com.mendix.webui.requesthandling.helpers.StateHandling.withState(StateHandling.scala:46)at com.mendix.webui.requesthandling.helpers.StateHandling.withState$(StateHandling.scala:43)at com.mendix.webui.requesthandling.FileUploadHelper.withState(FileUploadHelper.scala:30)at com.mendix.webui.requesthandling.helpers.StateHandling.withState(StateHandling.scala:40)at com.mendix.webui.requesthandling.helpers.StateHandling.withState$(StateHandling.scala:33)at com.mendix.webui.requesthandling.FileUploadHelper.withState(FileUploadHelper.scala:30)at com.mendix.webui.requesthandling.FileUploadHelper.doUpload(FileUploadHelper.scala:126)at com.mendix.webui.requesthandling.FileUploadHelper.handleUpload(FileUploadHelper.scala:44)at com.mendix.webui.requesthandling.FileRequestHandler.handleRequest(FileRequestHandler.scala:39)at com.mendix.webui.requesthandling.FileRequestHandler.processRequest(FileRequestHandler.scala:31)at com.mendix.externalinterface.connector.RequestHandler.doProcessRequest(RequestHandler.java:37)at com.mendix.external.connector.MxRuntimeConnector.$anonfun$processRequest$1(MxRuntimeConnector.scala:54)at com.mendix.external.connector.MxRuntimeConnector.$anonfun$processRequest$1$adapted(MxRuntimeConnector.scala:54)at com.mendix.util.classloading.Runner$.withContextClassLoader(Runner.scala:20)at com.mendix.external.connector.MxRuntimeConnector.processRequest(MxRuntimeConnector.scala:54)at com.mendix.basis.impl.MxRuntimeImpl.processRequest(MxRuntimeImpl.scala:221)at com.mendix.m2ee.appcontainer.server.handler.RuntimeServlet.service(RuntimeServlet.scala:40)at javax.servlet.http.HttpServlet.service(HttpServlet.java:750)at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:764)at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1665)at org.eclipse.jetty.websocket.servlet.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:170)at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:527)at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1570)at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1385)at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176)at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484)at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1543)at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174)at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1307)at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129)at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)at org.eclipse.jetty.server.Server.handle(Server.java:563)at org.eclipse.jetty.server.HttpChannel.lambda$handle$0(HttpChannel.java:505)at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:762)at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:497)at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:282)at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314)at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:416)at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:385)at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:272)at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.lambda$new$0(AdaptiveExecutionStrategy.java:140)at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:411)at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:936)at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1080)at java.base/java.lang.Thread.run(Thread.java:829) For information, we also try without the restriction condition in the policy and in that case, that worked. We also used S3 to store other files not linked to the filesystem. In that case, we use the Marketplace Modules "AmazonS3Connector" v4.0.1 & "AwsAuthentication" v3.1.2 We have implemented our code to use the same vpc endpoint, we tried to access to our bucket and in that case, we can list the content of the bucket, upload, download and delete a file. For information, we cannot add PutObjectAcl role because we cannot configure Acl for our bucket because we cannot give public access. And when we remove the restriction linked to the endpoint, the mendix project have access to the bucket. We think that the problem is that the filesystem of our application don't use the endpoint. Do you know if it possible to configure logging to see the detail of the request sent to Amazon and check to validate that the request is done through the endpoint ? Can you help us ? Do you see something missing or not correctly configured ? Thank you,