Unable to use signature v2 with custom endpoint and latest aws-sdk-s3 release 1.117.2

[stkenny]

Hi, when I updated to the latest gems my application could no longer retrieve files from our Ceph Rados Gateway. It seems it was trying to use sigv4 even though I had specified the signature_version as 's3'. This worked OK up to 1.116.0. I was able to get it to work by patching the Aws::S3::Plugins::Endpoints::Handler class with this line:

context[:auth_scheme] =
      context.config.signature_version || Aws::Endpoints.resolve_auth_scheme(context, endpoint)

This doesn't seem quite right, as 'v4' is passed if I don't specify a signature_version parameter. Basically the signature version doesn't seem to get passed through. Has something changed in the way a custom endpoint should be configured that I have missed?

Thanks.

[mullermp]

Thanks for opening up a discussion. We've recently changed endpoint calculation to be model driven per request invocation. These modeled rules do not include sigv2, however, I did test and verify the sigv2 case when explicitly provided. What aws-sdk-core version are you using? When using the latest aws-sdk-core and aws-sdk-s3, I can seemingly make a request against a custom endpoint using sigv2:

# custom endpoint is actual s3 endpoint but it demonstrates a custom endpoint usage (:endpoint was provided)
# AWS 123456 in authorization header is Sigv2
[2] pry(Aws)> Aws::S3::Client.new(endpoint: 'https://s3.us-west-2.amazonaws.com', signature_version: 's3').list_buckets
<- "GET / HTTP/1.1\r\nAccept-Encoding: \r\nUser-Agent: aws-sdk-ruby3/3.168.3 ruby/2.7.4 x86_64-darwin19 aws-sdk-s3/1.117.2\r\nHost: s3.us-west-2.amazonaws.com\r\nX-Amz-Date: 20221206T161312Z\r\nX-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\r\nAuthorization: AWS 123456=\r\nAccept: */*\r\n\r\n"
-> "HTTP/1.1 200 OK\r\n"

[stkenny]

Thanks. This was using aws-sdk-core 3.168.2. With 1.116.0 the request looks like:

GET / HTTP/1.1\r\nAccept-Encoding: \r\nUser-Agent: aws-sdk-ruby3/3.168.2 ruby/2.7.4 x86_64-linux aws-sdk-s3/1.116.0\r\nDate: Fri, 02 Dec 2022 12:10:11 GMT\r\nAuthorization: AWS ACCESSKEY:SECRETKEY=\r\nAccept: */*\r\nHost: HOST\r\n\r\n

Which works. But with 1.117.2 using the same parameters I get

GET / HTTP/1.1\r\nAccept-Encoding: \r\nUser-Agent: aws-sdk-ruby3/3.168.2 ruby/2.7.4 x86_64-linux aws-sdk-s3/1.117.2\r\nHost: HOST\r\nX-Amz-Date: 20221202T120801Z\r\nX-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\r\nAuthorization: AWS ACCESSKEY:SECRETKEY\r\nAccept: */*\r\n\r\n

This results in an access denied.

2.7.4 :014 > client.list_buckets
#<Aws::Endpoints::Endpoint:0x00005612f545be70 @url="https://xxxxxxxxxx", @properties={"authSchemes"=>[{"name"=>"sigv4", "signingName"=>"s3", "disableDoubleEncoding"=>true, "signingRegion"=>"us-east-1"}]}, @headers={}>

The authSchemes seem to be set to sigv4 in the endpoint passed through.

[stkenny]

It doesn't support sigv4.

[stkenny]

It seems to have a problem with X-Amz-Date. So I guess a bug in the 3rd party service or a config issue. I don't think it can parse the date. So not an issue for the gems then.

GET / HTTP/1.1\r\nAccept-Encoding: \r\nUser-Agent: aws-sdk-ruby3/3.168.3 ruby/2.7.4 x86_64-linux aws-sdk-s3/1.117.2\r\nHost: HOST\r\nX-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\r\nAuthorization: AWS *****:\r\nDate: Thu, 08 Dec 2022 11:20:34 GMT\r\nAccept: /\r\n\r\n"
-> "HTTP/1.1 200 OK\r\n"

[mullermp]

I can investigate not sending the date and sha256 headers for sigv2 if the previous versions did not send them and they are not required for signing.

[mullermp]

I intended for Sigv4 signing to be skipped however it is not working! (https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-s3/lib/aws-sdk-s3/plugins/s3_signer.rb#L31) I'll put out a fix shortly that tries to preserve existing behavior.

[mullermp]

#2804

[stkenny]

https://tracker.ceph.com/issues/57094

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.