Open aravinds502 opened 3 weeks ago
Hello Team,
We are running the s3proxy on 8080 post with following S3PROXY_CONFIGURATION:
JCLOUDS_CREDENTIAL : JCLOUDS_ENDPOINT : https://s3.amazonaws.com JCLOUDS_IDENTITY : JCLOUDS_REGIONS : eu-west-1 JCLOUD_PROVIDER : aws-s3 LOG_LEVEL : debug S3PROXY_AUTHORIZATION : aws-v2-or-v4 S3PROXY_CREDENTIAL : S3PROXY_IDENTITY :
Our s3proxy is behind the istio-gateway, and exposed public endpoint as follows "https://mydomain.com/s3proxy"
And the istio will redirect its inbound request to "HTTP://localhost:8080"
When we use the S3client with overridden endpoint as follows
S3Client client = S3Client.builder() .endpointOverride(new URIBuilder("https://mydomain.com/s3proxy").build()) .forcePathStyle(true) .credentialsProvider(credentialsProvider).build(); var headReq = HeadObjectRequest.builder() .bucket("my-bucket") .key(storagePath); var waiterConfig = WaiterOverrideConfiguration.builder(); var headerResponse = client.waiter().waitUntilObjectExists(headReq.build(), waiterConfig.build()); var matched = headerResponse.matched().response().orElse(null); System.out.println(matched);
I'm seeing the following error
[s3proxy] D 06-05 15:22:30.065 S3Proxy-Jetty-20 o.gaul.s3proxy.S3ProxyHandler:301 |::] request: Request(GET http://mydomain.com/my-bucket/f1db056a-bc01-4c94-bca8-ec92153bf48f/73bc1e65-7454-44ee-a13d-794276e34673.file?response-content-disposition=attachment%3B%20filename%3D%22%3D%3FUTF-8%3FQ%3FTitanic_.csv%3F%3D%22%3B%20filename%2A%3DUTF-8%27%27Titanic%2520.csv&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20240605T152230Z&X-Amz-SignedHeaders=host&X-Amz-Credential=<access_key>%2F20240605%2Feu-west-1%2Fs3%2Faws4_request&X-Amz-Expires=120&X-Amz-Signature=52677d81851b843bca5850c465ac1c7ad5acebc5276a35e03e7ae1f0e1506f44)@1a1bc40a [s3proxy] D 06-05 15:22:30.066 S3Proxy-Jetty-20 o.gaul.s3proxy.S3ProxyHandler:2971 |::] sendSimpleErrorResponse: 403 SignatureDoesNotMatch Forbidden {}
Please let me know, what is going wrong here, Should the "host name" be matched? Does the signature creation depend on the hostname? I was blocked with this, how can we fix the problem, any suggestion would be helpful.
@aravinds502 The HTTP host header is required in the signature calculations. https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html
Hello Team,
We are running the s3proxy on 8080 post with following S3PROXY_CONFIGURATION:
JCLOUDS_CREDENTIAL :
JCLOUDS_ENDPOINT : https://s3.amazonaws.com
JCLOUDS_IDENTITY :
JCLOUDS_REGIONS : eu-west-1
JCLOUD_PROVIDER : aws-s3
LOG_LEVEL : debug
S3PROXY_AUTHORIZATION : aws-v2-or-v4
S3PROXY_CREDENTIAL :
S3PROXY_IDENTITY :
Our s3proxy is behind the istio-gateway, and exposed public endpoint as follows "https://mydomain.com/s3proxy"
And the istio will redirect its inbound request to "HTTP://localhost:8080"
When we use the S3client with overridden endpoint as follows
I'm seeing the following error
Please let me know, what is going wrong here, Should the "host name" be matched? Does the signature creation depend on the hostname? I was blocked with this, how can we fix the problem, any suggestion would be helpful.