Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

403 SignatureDoesNotMatch Forbidden while using Istio #645

Open
aravinds502 opened this issue Jun 5, 2024 · 1 comment
Open

403 SignatureDoesNotMatch Forbidden while using Istio #645

aravinds502 opened this issue Jun 5, 2024 · 1 comment

Comments

@aravinds502
Copy link

Hello Team,

We are running the s3proxy on 8080 post with following S3PROXY_CONFIGURATION:

JCLOUDS_CREDENTIAL : <AWS_SECRET_KEY>
JCLOUDS_ENDPOINT : https://s3.amazonaws.com
JCLOUDS_IDENTITY :<AWS_ACCESS_KEY_ID>
JCLOUDS_REGIONS : eu-west-1
JCLOUD_PROVIDER : aws-s3
LOG_LEVEL : debug
S3PROXY_AUTHORIZATION : aws-v2-or-v4
S3PROXY_CREDENTIAL : <S3_PROXY_SECRET_KEY>
S3PROXY_IDENTITY : <S3_PROXY_ACCESS_KEY_ID>

Our s3proxy is behind the istio-gateway, and exposed public endpoint as follows "https://mydomain.com/s3proxy"

And the istio will redirect its inbound request to "HTTP://localhost:8080"

When we use the S3client with overridden endpoint as follows

S3Client client = S3Client.builder()
                       .endpointOverride(new URIBuilder("https://mydomain.com/s3proxy").build())
                       .forcePathStyle(true)
                       .credentialsProvider(credentialsProvider).build();

var headReq = HeadObjectRequest.builder()
                   .bucket("my-bucket")
                   .key(storagePath);
var waiterConfig = WaiterOverrideConfiguration.builder();
 var headerResponse = client.waiter().waitUntilObjectExists(headReq.build(), waiterConfig.build());
 var matched = headerResponse.matched().response().orElse(null);

System.out.println(matched);

I'm seeing the following error


[s3proxy] D 06-05 15:22:30.065 S3Proxy-Jetty-20 o.gaul.s3proxy.S3ProxyHandler:301 |::] request: Request(GET http://mydomain.com/my-bucket/f1db056a-bc01-4c94-bca8-ec92153bf48f/73bc1e65-7454-44ee-a13d-794276e34673.file?response-content-disposition=attachment%3B%20filename%3D%22%3D%3FUTF-8%3FQ%3FTitanic_.csv%3F%3D%22%3B%20filename%2A%3DUTF-8%27%27Titanic%2520.csv&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20240605T152230Z&X-Amz-SignedHeaders=host&X-Amz-Credential=<access_key>%2F20240605%2Feu-west-1%2Fs3%2Faws4_request&X-Amz-Expires=120&X-Amz-Signature=52677d81851b843bca5850c465ac1c7ad5acebc5276a35e03e7ae1f0e1506f44)@1a1bc40a
[s3proxy] D 06-05 15:22:30.066 S3Proxy-Jetty-20 o.gaul.s3proxy.S3ProxyHandler:2971 |::] sendSimpleErrorResponse: 403 SignatureDoesNotMatch Forbidden {}

Please let me know, what is going wrong here, Should the "host name" be matched? Does the signature creation depend on the hostname? I was blocked with this, how can we fix the problem, any suggestion would be helpful.
@timursaikaliev
Copy link
Contributor

@aravinds502 The HTTP host header is required in the signature calculations.
https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aravinds502 @timursaikaliev