search

gaul / s3proxy

Access other storage backends via the S3 API
Apache License 2.0
1.65k stars 220 forks source link

403 SignatureDoesNotMatch Forbidden while using Istio #645

Open aravinds502 opened 3 weeks ago

aravinds502 commented 3 weeks ago

Hello Team,

We are running the s3proxy on 8080 post with following S3PROXY_CONFIGURATION:

JCLOUDS_CREDENTIAL : JCLOUDS_ENDPOINT : https://s3.amazonaws.com JCLOUDS_IDENTITY : JCLOUDS_REGIONS : eu-west-1 JCLOUD_PROVIDER : aws-s3 LOG_LEVEL : debug S3PROXY_AUTHORIZATION : aws-v2-or-v4 S3PROXY_CREDENTIAL : S3PROXY_IDENTITY :

Our s3proxy is behind the istio-gateway, and exposed public endpoint as follows "https://mydomain.com/s3proxy"

And the istio will redirect its inbound request to "HTTP://localhost:8080"

When we use the S3client with overridden endpoint as follows

S3Client client = S3Client.builder()
                        .endpointOverride(new URIBuilder("https://mydomain.com/s3proxy").build())
                        .forcePathStyle(true)
                        .credentialsProvider(credentialsProvider).build();

 var headReq = HeadObjectRequest.builder()
                    .bucket("my-bucket")
                    .key(storagePath);
 var waiterConfig = WaiterOverrideConfiguration.builder();
  var headerResponse = client.waiter().waitUntilObjectExists(headReq.build(), waiterConfig.build());
  var matched = headerResponse.matched().response().orElse(null);

System.out.println(matched);

I'm seeing the following error


[s3proxy] D 06-05 15:22:30.065 S3Proxy-Jetty-20 o.gaul.s3proxy.S3ProxyHandler:301 |::] request: Request(GET http://mydomain.com/my-bucket/f1db056a-bc01-4c94-bca8-ec92153bf48f/73bc1e65-7454-44ee-a13d-794276e34673.file?response-content-disposition=attachment%3B%20filename%3D%22%3D%3FUTF-8%3FQ%3FTitanic_.csv%3F%3D%22%3B%20filename%2A%3DUTF-8%27%27Titanic%2520.csv&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20240605T152230Z&X-Amz-SignedHeaders=host&X-Amz-Credential=<access_key>%2F20240605%2Feu-west-1%2Fs3%2Faws4_request&X-Amz-Expires=120&X-Amz-Signature=52677d81851b843bca5850c465ac1c7ad5acebc5276a35e03e7ae1f0e1506f44)@1a1bc40a
[s3proxy] D 06-05 15:22:30.066 S3Proxy-Jetty-20 o.gaul.s3proxy.S3ProxyHandler:2971 |::] sendSimpleErrorResponse: 403 SignatureDoesNotMatch Forbidden {}

Please let me know, what is going wrong here, Should the "host name" be matched? Does the signature creation depend on the hostname? I was blocked with this, how can we fix the problem, any suggestion would be helpful.

timursaikaliev commented 2 weeks ago

@aravinds502 The HTTP host header is required in the signature calculations. https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html