s3.GetObject returns a SignatureDoesNotMatch error #883
Comments
|
Hi @jriquelme , Thanks for reaching out. I tried reproducing the issue, and was unable to do so on my end. Could you try executing |
skotambkar
added
the
response-requested
|
Hi @skotambkar: I tried that before. Checking the module dependencies, the only thing odd to me is the presence of two different versions of smithy-go (but I don't know if it is an issue). Here's the mod graph I get from the sample program: I see Would the go.sum of any help to diagnose the problem? |
|
Thanks for getting back with us. Can you let us know what region the request is configured for? Also do you own the bucket you are trying to query? Or have valid permissions with the credentials you are using? |
|
The bucket is in us-east-1 and the permissions are fine. Before posting here (along with cleaning caches and everything), I verified I can copy the file with awscli (aws s3 cp ...), also the current version using the v0.24.0 doesn't have any issue with the bucket. To be sure, I compiled and ran the sample program in a ec2 machine and I got the same error :D The sample program is available at https://github.com/jriquelme/s3test Thank you for your help! |
github-actions
bot
removed
the
response-requested
|
Hi @jriquelme Unfortunately I couldn't replicate the error behavior from the example you provided above. It would help if we can log the request that is being sent. The logger utils are yet to be released, but are merged in GitHub master branch. For now, we can use the logger using this go.mod : Here's the code sample usage of setting Please let us know your findings to help us investigate the issue. Appreciate your patience and follow-ups. |
skotambkar
added
the
response-requested
|
@skotambkar, the problem is related to the key. I've updated the repo https://github.com/jriquelme/s3test; it's basically the same but with a test showing a sucessful and a failing case. There are three branches:
The problematic key is This is the output of the failing test case in the branch v0.29.1-x: I hope it helps. And I'm sorry for the inconvinencie, I didn't put the real key in the example program because I never thought it was relevant :| |
github-actions
bot
removed
the
response-requested
|
Additional data point for this issue. Seeing a similar signature mismatch behavior calling out to STS. Previously working code -- seeing the following on
Edit: Also noting that this issues seems data dependent, as well. The same code path fails or succeeds intermittently. The following step function invocations all use the same code, and all failures were signature mismatches to STS.
|
|
Noting that |
|
Hi @jriquelme Thanks for the detailed information. We identified the issue being with our serializer not correctly escaping few characters. We are currently working on debugging and fixing the issue. Thanks for reaching out @jarreds. Could you provide us with sample example/data that we can use to reproduce the success or error cases. This would help us identify the root cause and fix the behavior. |
|
This may help. Can't do a full repro for you, but here is an extract of the code in question: func CreateStack(ctx context.Context, event Event) (*string, error) {
cfg, err := config.LoadDefaultConfig(config.WithRegion(event.RegionID))
if err != nil {
return nil, err
}
role := fmt.Sprintf("arn:aws:iam::%s:role/ci", event.AccountID)
stsclient := sts.NewFromConfig(cfg)
stsassume := stscreds.NewAssumeRoleProvider(stsclient, role)
cfg.Credentials = &aws.CredentialsCache{Provider: stsassume}
cfnclient := cloudformation.NewFromConfig(cfg)
cfnrole := fmt.Sprintf("arn:aws:iam::%s:role/cloudformation", event.AccountID)
input := cloudformation.CreateStackInput{
Capabilities: []types.Capability{
types.CapabilityCapability_named_iam,
types.CapabilityCapability_auto_expand,
},
StackName: &event.Name,
TemplateURL: &event.TemplateURL,
RoleARN: &cfnrole,
Tags: []*types.Tag{
{
Key: aws.String("release"),
Value: aws.String(event.Release),
},
{
Key: aws.String("template"),
Value: aws.String(path.Base(event.TemplateURL)),
},
{
Key: aws.String("stack"),
Value: aws.String(event.Name),
},
},
}
resp, err := cfnclient.CreateStack(ctx, &input)
if err != nil {
return nil, err
}
return resp.StackId, nil
} |
|
|
Will create a separate issue for @jarreds STS issue. As STS issue appears unrelated to this issue. |
Confirm by changing [ ] to [x] below:
Describe the question
I'm not sure if this is a question or indeed a bug, because the API has changed considerably since v0.24. I'm getting a SignatureDoesNotMatch error when running the example program below:
The go.mod file:
Output error: api error SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your key and signing method.
I'm missing something? Any help would be appreciated :)
The text was updated successfully, but these errors were encountered: