[Bug]: presigned S3 upload URL from aws_devicefarm_upload has wrong signature

[martinhelfert]

Terraform Core Version

1.3.6

AWS Provider Version

4.62.0

Affected Resource(s)

aws_devicefarm_upload

Expected Behavior

aws_devicefarm_upload should return a presigned URL where I can upload a file to using curl.

Actual Behavior

The returned presigned URL seems to be correct, but when uploading to it, it fails with a SignatureDoesNotMatch error. When using the aws cli tool (aws devicefarm create-upload) instead, the returned URL is working.

Relevant Error/Panic Output Snippet

<Error>
<Code>SignatureDoesNotMatch</Code>
<Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message>
....
</Error>

Terraform Configuration Files

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "4.62.0"
    }
    null = {
      source  = "hashicorp/null"
      version = "3.2.1"
    }
  }

  required_version = "~> 1.2"
}

provider "aws" {
  region = "us-west-2"
}

resource "aws_devicefarm_project" "default" {
  name = "example"
}

resource "aws_devicefarm_upload" "ipa" {
  for_each = fileset(path.module, "*.ipa")

  name         = each.value
  project_arn  = aws_devicefarm_project.default.arn
  type         = "IOS_APP"
}

resource "null_resource" "upload_ipa" {
  for_each = aws_devicefarm_upload.ipa

  provisioner "local-exec" {
    command = "curl -T ${each.value.name} \"${each.value.url}\""
  }

  depends_on = [aws_devicefarm_upload.ipa]
}

Steps to Reproduce

• apply the configuration above
• all steps pass, the upload is created and returns a URL that seems to be valid
• the curl command fails with a SignatureDoesNotMatch error

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

• similar issue: https://github.com/hashicorp/terraform-provider-aws/issues/24329
• pretty old issue from the AWS go SDK which seems to be resolved: https://github.com/aws/aws-sdk-go/issues/337

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[justinretzolk]

Hey @martinhelfert 👋 Thank you for taking the time to raise this! Am I understanding correctly that if you take the value returned from aws_devicefarm_upload.ipa.url and pass it to the AWS CLI command, it's working properly? It's a bit difficult for me to say without being able to realistically spin up the architecture to test this out, but if my understanding (mentioned before) is correct, this may be a result of the cURL command in the local-exec using ${each.value.name} rather than ${path.module}/${each.value.name}.

[justinretzolk]

Since we haven't heard back, I'm going to close this issue. If you're still having trouble, please feel free to open a new issue, referencing this one for context as needed.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.