S3 region ignored

[Szasza]

Hi @benesch,

Problem: it seems that the S3 region is not being picked up from the box_url.

Example URL: https://BUCKETNAME.s3-ap-southeast-2.amazonaws.com/JSONPATH

Result: a message stating S3 client configured for "us-east-1" but the bucket "BUCKETNAME" is in "ap-southeast-2"; Please configure the proper region to avoid multiple unnecessary redirects and signing attempts

Expected result: box fetched directly from "ap-southeast-2"

[benesch]

Hi @Szasza! Can you rerun with VAGRANT_LOG=debug vagrant whatever-command-you-ran and post relevant portions of the dump? (You can Cmd+F for "s3auth:" in the output.)

[Szasza]

Thank you for the quick response @benesch, it is much appreciated.

It looks like that vagrant first tries to get the image without auth (no AWS params in the URL at the end of the start process line). Also, the error message for the 403 is misleading.

INFO warden: Calling IN action: #VagrantPlugins::S3Auth::ExpandS3Urls:0x007f19f82d39f8

INFO warden: Calling IN action: #VagrantPlugins::LoginCommand::AddAuthentication:0x007f19f82d39a8

DEBUG client: Using authentication token from disk at /home/USER/.vagrant.d/data/vagrant_login_token

INFO warden: Calling OUT action: #VagrantPlugins::LoginCommand::AddAuthentication:0x007f19f82d39a8

INFO warden: Calling OUT action: #VagrantPlugins::S3Auth::ExpandS3Urls:0x007f19f82d39f8

INFO box_add: Downloading box: https://BUCKETNAME.s3-ap-southeast-2.amazonaws.com/RESOURCEPATH => /home/USER/.vagrant.d/tmp/BOXID

INFO downloader: HEAD: https://BUCKETNAME.s3-ap-southeast-2.amazonaws.com/RESOURCEPATH

INFO subprocess: Starting process: ["/opt/vagrant/embedded/bin/curl", "-I", "-q", "--fail", "--location", "--max-redirs", "10", "--user-agent", "Vagrant/1.8.6 (+https://www.vagrantup.com; ruby2.2.5)", "--continue-at", "-", "-H", "Accept: application/json", "https://BUCKETNAME.s3-ap-southeast-2.amazonaws.com/RESOURCEPATH"]

DEBUG subprocess: Selecting on IO

DEBUG subprocess: stderr: % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0

DEBUG subprocess: stderr: curl: (22) The requested URL returned error: 403 Forbidden

DEBUG subprocess: Waiting for process to exit. Remaining to timeout: 31999

DEBUG subprocess: Exit status: 22

WARN downloader: Downloader exit code: 22

S3 client configured for "us-east-1" but the bucket "BUCKETNAME" is in "ap-southeast-2"; Please configure the proper region to avoid multiple unnecessary redirects and signing attempts

INFO downloader: s3auth: Discovered S3 URL: https://BUCKETNAME.s3-ap-southeast-2.amazonaws.com/RESOURCEPATH

DEBUG downloader: s3auth: Bucket: "BUCKETNAME"

DEBUG downloader: s3auth: Key: "RESOURCEPATH"

INFO downloader: s3auth: Generating signed URL for HEAD

INFO subprocess: Starting process: ["/opt/vagrant/embedded/bin/curl", "-I", "-q", "--fail", "--location", "--max-redirs", "10", "--user-agent", "Vagrant/1.8.6 (+https://www.vagrantup.com; ruby2.2.5)", "--continue-at", "-", "-H", "Accept: application/json", "https://BUCKETNAME.s3-ap-southeast-2.amazonaws.com/RESOURCEPATH?AWSPARAMS"]

DEBUG subprocess: Selecting on IO

DEBUG subprocess: stderr: % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 340 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0

DEBUG subprocess: stdout: HTTP/1.1 200 OK x-amz-id-2: AMZID x-amz-request-id: AMZREQUESTID Date: Mon, 31 Oct 2016 00:03:14 GMT Last-Modified: Mon, 31 Oct 2016 00:02:10 GMT ETag: "ETAG" Accept-Ranges: bytes Content-Type: application/json Content-Length: 340 Server: AmazonS3

[benesch]

?!

vagrant-s3auth always lets Vagrant give the box URL an unauthenticated try first. (Source: https://github.com/WhoopInc/vagrant-s3auth/blob/f7e6a0373c3d9dcad3d30c3c61bb83ef2635462a/lib/vagrant-s3auth/extension/downloader.rb#L69-L76). This is to avoid breaking existing box downloads if vagrant-s3auth has a bug; as long as your box downloads successfully without vagrant-s3auth, vagrant-s3auth won't get involved at all.

But it seems the rest of the output is quite alright! Does the box get added successfully and just print a warning message along the way?

[Szasza]

It explains it if vagrant-s3auth always gives the control to vagrant first, yes, the box gets addedd successfully apart from the message.

In this case, the following would be more of a nice-to-have:

• An extra config parameter in vagrant-s3auth called force, priority, or similar, which would use vagrant-s3auth first, then fall back to vagrant.
• Changing the error message in this specific case, because it is misleading, since the configuration is perfectly fine and points to the proper region.

Your consideration is highly appreciated.

[benesch]

Sorry for the delay—I just can't manage to repro this. It's quite possible that it's our internal AWS SDK that's generating that message, but I can't manage to trigger it on my machine.

Does this happen if you use an S3 URL instead? E.g., s3://BUCKET/JSONPATH.

[Szasza]

I'm guilty as charged regarding the delay too. Yes, it happens with every type of URL, S3 included.

There is no other vagrant plugin in use either.

[benesch]

Hmmmmmmm. What version of Vagrant, what version of vagrant-s3auth, and what version of the OS are you using?

[Szasza]

Vagrant 1.8.6 vagrant-s3auth 1.3.0 OS Ubuntu 16.04 LTS

[benesch]

Ahhh, finally managed to reproduce this. Sorry for the long delay! Turns out it's an upstream bug in the AWS SDK. I've filed a PR! aws/aws-sdk-ruby#1374

I assume your bucket doesn't include any periods (.) in its name? The integration tests for this project generate bucket names with dots (travis-$TRAVIS_JOB_NUMBER.vagrant-s3auth.com), which don't trigger the warning you saw. So thanks for reporting, @Szasza! If upstream is slow to merge, I'll release a workaround in vagrant-s3auth in a few days.

[Szasza]

Thank you @benesch for looking into the matter, it is much appreciated.

[benesch]

Of course! vagrant-s3auth 1.3.1 (just released on Saturday) should solve the issue!