Make S3 Multi-region access point public

Question

I created a multi-region access point for two buckets, both of which are public. However, when I try to access the objects using the multi-region hostname, I get an XML response stating that the request is invalid. I have checked off all the boxes for public access and created a policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AddPerm",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": [
                "[my arm]/object/*",
                "[my arm]"
            ]
        }
    ]
}

And still I get the same response. I have also seen the following question which asks the same thing, but even the accepted answer does not seem to have given a correct solution: How to create a public Multi-Region Access Point policy?

What is the correct way to make the multi-region access point public? Or am I trying to access the objects incorrectly?

What I'm doing is: [alias].accesspoint.s3-global.amazonaws.com/[object name]

Is that the correct syntax?

Answer 1

I think the issue is that all S3 MRAP requests must be signed with SigV4A, even when objects are publicly accessible.

I am inferring this from the error I get when I attempt it:

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>InvalidRequest</Code><Message>The authorization mechanism you have provided is not supported. Please use Signature Version 4a.</Message><RequestId>DQG55ZDYXYV9VEZQ</RequestId><HostId>qMIazrJg5Obioh5Stpzh3BWNRNXHa1W3RO7nIlnc4/8b+vpnVmmjKXNFTE5vkLUM+rVC7S35aZU=</HostId></Error>

and this part of the docs:

Multi-Region Access Points don't support anonymous requests.

(https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiRegionAccessPointRestrictions.html)