Rclone cannot list or access files via S3 Access Point (cross-account), but AWS CLI works

What is the problem you are having with rclone?

rclone cannot list or access files via an S3 Access Point (cross-account). The same operation works with AWS CLI using the same credentials and Access Point ARN. The Access Point policy allows all required actions. rclone always returns "directory not found" even though files exist and are accessible via AWS CLI.

Run the command 'rclone version' and share the full output of the command.

rclone v1.69.0

• os/version: Microsoft Windows Server 2022 Datacenter 21H2 21H2 (64 bit)
• os/kernel: 10.0.20348.3091 (x86_64)
• os/type: windows
• os/arch: amd64
• go/version: go1.23.4
• go/linking: static
• go/tags: cmount

Which cloud storage system are you using? (eg Google Drive)

Amazon S3 (via S3 Access Point, cross-account)

The command you were trying to run (eg rclone copy /tmp remote:tmp)

rclone ls originals-aoc-1-restricted:PROJECT_DELETE/ --config="C:\temp\rclone-test\rclone-test.conf" -vv

Please run 'rclone config redacted' and share the full output. If you get command not found, please make sure to update rclone.

[originals-aoc-1-restricted]
type = s3
provider = AWS
env_auth = true
region = us-west-2
endpoint = https://originals-aoc1-restricted-access-111111111111.s3-accesspoint.us-west-2.amazonaws.com
location_constraint = us-west-2
server_side_encryption = AES256
storage_class = STANDARD

A log from the command that you were trying to run with the -vv flag

2025/07/10 03:08:19 DEBUG : rclone: Version "v1.69.0" starting with parameters ["C:\\Windows\\system32\\rclone.exe" "ls" "originals-aoc-1-restricted:PROJECT_DELETE/" "--config=C:\\temp\\rclone-test\\rclone-test.conf" "-vv"]
2025/07/10 03:08:19 DEBUG : Creating backend with remote "originals-aoc-1-restricted:PROJECT_DELETE/"
2025/07/10 03:08:19 DEBUG : Using config file from "C:\\temp\\rclone-test\\rclone-test.conf"
2025/07/10 03:08:19 DEBUG : fs cache: renaming cache item "originals-aoc-1-restricted:PROJECT_DELETE/" to be canonical "originals-aoc-1-restricted:PROJECT_DELETE"
2025/07/10 03:08:19 DEBUG : 3 go routines active
2025/07/10 03:08:19 NOTICE: Failed to ls: directory not found

Please try with the latest rclone first.

I updated the version and the issue persist

rclone v1.70.3
- os/version: Microsoft Windows Server 2022 Datacenter 21H2 21H2 (64 bit)
- os/kernel: 10.0.20348.3091 (x86_64)
- os/type: windows
- os/arch: amd64
- go/version: go1.24.4
- go/linking: static
- go/tags: cmount

My config:

[originals-aoc-1-restricted]
type = s3
provider = AWS
env_auth = true
region = us-west-2
endpoint = https://originals-aoc1-restricted-access-111111111111.s3-accesspoint.us-west-2.amazonaws.com
no_check_bucket = true
no_head = true
server_side_encryption = AES256
storage_class = STANDARD

Command used:

rclone ls --config="C:\temp\rclone-test\rclone-test.conf" originals-aoc-1-restricted:Experimental/

Result:

2025/07/10 14:45:34 DEBUG : rclone: Version "v1.70.3" starting with parameters ["C:\\Windows\\system32\\rclone.exe" "ls" "--config=C:\\temp\\rclone-test\\rclone-test.conf" "originals-aoc-1-restricted:Experimental/" "-vvv"]
2025/07/10 14:45:34 DEBUG : Creating backend with remote "originals-aoc-1-restricted:Experimental/"
2025/07/10 14:45:34 DEBUG : Using config file from "C:\\temp\\rclone-test\\rclone-test.conf"
2025/07/10 14:45:34 DEBUG : fs cache: renaming cache item "originals-aoc-1-restricted:Experimental/" to be canonical "originals-aoc-1-restricted:Experimental"
2025/07/10 14:45:34 DEBUG : 4 go routines active
2025/07/10 14:45:34 NOTICE: Failed to ls: directory not found

AWS CLI with the same credentials and access point lists all objects and folders as expected, so I think it's not a cross-account permission issue:

aws s3api list-objects-v2 --bucket arn:aws:s3:us-west-2:574373290413:accesspoint/originals-aoc1-restricted-access --prefix Experimental/

Result:

{
    "Contents": [
        {
            "Key": "Experimental/",
            "StorageClass": "STANDARD"
        },
        {
            "Key": "Experimental/Test/",
            "StorageClass": "STANDARD"
        },
        {
            "Key": "Experimental/Test/25fps-selected/",
            "StorageClass": "STANDARD"
        },
        {
            "Key": "Experimental/Test/25fps-selected/Hulu_AHO_ProductionTAG_25_1.85_3996x2160.mov",
            "StorageClass": "INTELLIGENT_TIERING"
        },

I have tried with and without trailing slashes, with no_check_bucket and no_head, and verified that the endpoint and credentials are correct.
I think rclone should list the same objects and folders as AWS CLI when using an S3 Access Point but always returns “directory not found”, even though the objects exist and are visible via AWS CLI.

for a deeper look, use --dump flags.

rclone lsd originals-aoc-1-restricted: -vv --dump=headers

Command used:

rclone lsd --config="C:\temp\rclone-test\rclone-test.conf" originals-aoc-1-restricted: -vv --dump=headers

Result:

2025/07/10 15:45:14 NOTICE: Automatically setting -vv as --dump is enabled
2025/07/10 15:45:14 DEBUG : rclone: Version "v1.70.3" starting with parameters ["C:\\Windows\\system32\\rclone.exe" "lsd" "--config=C:\\temp\\rclone-test\\rclone-test.conf" "originals-aoc-1-restricted:" "-vv" "--dump=headers"]
2025/07/10 15:45:14 DEBUG : Creating backend with remote "originals-aoc-1-restricted:"
2025/07/10 15:45:14 DEBUG : Using config file from "C:\\temp\\rclone-test\\rclone-test.conf"
2025/07/10 15:45:14 DEBUG : You have specified to dump information. Please be noted that the Accept-Encoding as shown may not be correct in the request and the response may not show Content-Encoding if the go standard libraries auto gzip encoding was in effect. In this case the body of the request will be gunzipped before showing it.
2025/07/10 15:45:14 DEBUG : You have specified to dump information. Please be noted that the Accept-Encoding as shown may not be correct in the request and the response may not show Content-Encoding if the go standard libraries auto gzip encoding was in effect. In this case the body of the request will be gunzipped before showing it.
2025/07/10 15:45:14 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2025/07/10 15:45:14 DEBUG : HTTP REQUEST (req 0xc0002feb40)
2025/07/10 15:45:14 DEBUG : GET /?x-id=ListBuckets HTTP/1.1
Host: originals-aoc1-restricted-access-574373290413.s3-accesspoint.us-west-2.amazonaws.com
User-Agent: rclone/v1.70.3
Accept-Encoding: identity
Amz-Sdk-Invocation-Id: 07bc1605-d524-444e-8f5a-65b40911a685
Amz-Sdk-Request: attempt=1; max=10
Authorization: XXXX
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20250710T154514Z
X-Amz-Security-Token: IQoJb3JpZ2luX2VjELj//////////wEaCXVzLXdlc3QtMiJHMEUCIArQXJHPHc/PKk0wTvDLNd4W+vzGy1b8aZtHWy+WnoyfAiEAvpTDzH+tp9sDytVd7DGSqubsYgGeHtUFtkQq1h9XWBQqxQUIwf//////////ARAAGgwwNTQwMzcxMzk0MDAiDOuSAByT5eyViqrFwyqZBfGRm1wSf5dJXHQ4fSQbPPwOKMmm2F4YBqxkwdcQ7g/k53fRM2NOyBnWbp9w/gm4pLk2rgUol6pl7y0edzyA8JIhknDFFwNiV5ugvANDU/VpRXXnHxwbybywQ9vjtzd1fam9ym1BBo77FCkFh8nTzrRHyF2KKWnY/amwXPAC/GGfaR/nOBcqDabn9eg7Lh3rraZCggrLB9habxV86+WQrpdaqMCmub4Ux5zHW+PhsSZJY4fTIM0CHcLp4iV1or1Q/Bu4WaUJ5qV13F6rRYMZpwiR0yznlL05lrRsWxhmNmFgLo06m/rE0uqglpQ6i3HcVZyF0XK4Shpvg79x8DGudAEcH5AU3BrEB/seUz2I8MQIIacPTyj4OQmmr9D1dDxelhDaZ0PoHUUHfdLzIpSE0gb1RtyUEhedL8EfpzRIxvfGL1gHRYmUBhBOFKbLO06BrnUUsL6w3qa6QzURthvLruw7ZiQNE+/gN6StEf5FCBOgD2hqTHKyMLLkjTRR2dfOZe/w9936xZVUtgMPwlPUJtSblzH2vDTBzASH4MeCCZymlSLmIUfGE28bVXtCvZF2agGnHrjq18UMBrfdtVJ/hzb2VpwLdH1rMQYlmCzJWqH5H3IvwYzC3HVKVerrjz1Nj4F0zrQYDkmjKPAJNx9eGBCAq+Srae43xHsGaEsN8Pq5z8BpZY8QDUIMhHL7lkcVTK31RM2BE8tIdi8Qh15xAvIuBT5Qi7Fha6QBhmN7EdwWR/LDtDFYf4KraQ7C2yhfr6GgnTHYuNUViXROOxzG1J19c5TsbMBLfB3oEc9dNJj7ngz3pWPdnwwnqVWvrRdQjQoXXqBpHW2y0kIoZwkd0XT3PDhMTy19p4/o3i+6iMrgyV1F3ze0GHckMOq7v8MGOrEBqmHXqlljKkX0HmwTmSwDRr7xMJPuJpwsSpoXQ9I1vuoNE1S4XFKkkKpQFFHpsDqurcfa4Q/odN6JghNDRXf87tA8Ndin62Ur4lQsxmktYb99hA4kXGNe9rLijcFra8OGAnXelymQh8FiQWr56K/APAjLo96/4o8nHf30o67WvgqHKlqxYbVHOtLLBfkBq3V6APOFSH81Yyp0iXCju4CEoe0ci/C8OuoNqa50aHp0MxQd

2025/07/10 15:45:14 DEBUG : >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2025/07/10 15:45:14 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2025/07/10 15:45:14 DEBUG : HTTP RESPONSE (req 0xc0002feb40)
2025/07/10 15:45:14 DEBUG : HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: application/xml
Date: Thu, 10 Jul 2025 15:45:15 GMT
Server: AmazonS3
X-Amz-Bucket-Region: us-west-2
X-Amz-Id-2: 3i5P6F+wYhSPdhL5g4tlVIvydMqy5DRqh53fR/2y8PELYUwx3M6Ec+MXlR9+70am4atnXQmgvTk=
X-Amz-Request-Id: 59VD8JHJ1FM95A49

2025/07/10 15:45:14 DEBUG : <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
2025/07/10 15:45:14 DEBUG : 4 go routines active

I had already seen that problem from him but his error is an authorization error because he was missing the env_auth = true. I already have that set.

yeah, that is what i thought as well. just hoping it might have a hint to help you.

I tried again.

Config:

[originals-aoc-1-full]
type = s3
provider = AWS
env_auth = true
region = us-west-2
location_constraint = us-west-2
endpoint = https://originals-aoc1-full-access-574373290413.s3-accesspoint.us-west-2.amazonaws.com
s3_use_arn_region = true
s3_force_path_style = false
server_side_encryption = AES256
storage_class = STANDARD

Command:

rclone lsd originals-aoc-1-full: --config "C:\Program Files\rclone\rclone.conf" -vv --dump headers

Result:

GET /?x-id=ListBuckets HTTP/1.1
Host: originals-aoc1-full-access-574373290413.s3-accesspoint.us-west-2.amazonaws.com

AWS responds 200 OK, but returns the buckets in the server account (which is not what I need. I need the buckets from 574373290413).

Rclone should do:

GET /?list-type=2
Host: originals-aoc1-full-access-574373290413.s3-accesspoint.us-west-2.amazonaws.com

and sign the request using the ARN as the bucket:

arn:aws:s3:us-west-2:574373290413:accesspoint/originals-aoc1-full-access

I guess rclone just tries ListBuckets against the access point hostname, which is unsupported by AWS S3 access points.
Access points require:

• Using the ARN in the signed request
• Or using the access point DNS + path requests like GET /?list-type=2

open a new issue at github and post the link here