We have been getting an HTTP 403 error back from AWS because the API signature does not match. We have discovered that the problem happens on ghc-7.6.1 but not on ghc-7.0.4, and that it happens for getObject when any of the GetObject Maybe fields (goVersionId, goResponseContentType, goResponseContentLanguage, goResponseExpires, goResponseCacheControl, goResponseContentDisposition, goResponseContentEncoding) are set to Just.
I'm not sure, but it seems like s3SignQuery is not taking into account all the parameters that the signing should be based on. I have no idea why this is working on ghc-7.0.4 and not ghc-7.6.1.
I don't think GetObject works in 7.0.4 either if you populate any of the fields that end up in s3QQuery. The weird thing is that getObject (i.e. a GetObject with only the bucket and object) works for us 7.0.4 but not 7.6.1. PutObject also works for us in 7.0.4 but not 7.6.1.
@aristidb I know we haven't provided much information about the problem. The truth is we are clueless about how the signing function should be defined and why it would behave differently in different versions of ghc, but @ckw and I have both managed to reproduce the problem as described above.
Can you try creating a minimal testcase? That would be very helpful.
Ok, I tried the GetObject example in the README. It works fine with GHC 7.0.4, but fails on GHC 7.6.1 with a 403: "The request signature we calculated does not match the signature you provided. Check your key and signing method."
Here's a list of most of the relevant package versions we're using:
@ckw OK that's helpful already, I'm installing GHC 7.6 now. Can you please change the loglevel to Debug and tell me where the "String to sign" differs from what Amazon expects? I'll try reproducing the problem myself as soon as GHC 7.6 is installed, but still this should be helpful information.
Wow, installing with binary packages is quick. ANYWAYS: I can reproduce the error now. A very weird error indeed.
The SimpleDB example similarly fails, and the "String to sign" seems to match in the GetObject example. I suspect the HMAC hashing is broken somehow.
Testcase (using my AWS credentials):
GHC 7.4 ("correct" behavior):
> signature cred HmacSHA256 "test"
> signature cred HmacSHA256 "test"
I will boil this down to the relevant cryptohash calls, and consider filing a bug there.
Submitted bug where it belongs: vincenthz/hs-cryptohash#12
In the meantime, my suggestion is to stick to GHC 7.4.2, as that is the version shipped with the most recent Haskell Platform. It is usually the best idea to stick to those versions, as you can see some packages do not work very well under GHC 7.6 yet.
You also mentioned that there were some kind of problems using GHC 7.0.4 with some specific requests. Could you please create a new issue for that, @pheaver or @ckw? Please also include a testcase!
Awesome! Glad it was easy to find the bug. I'll file a new issue soon.
OK, to reiterate here what we learned elsewhere: This is a bug in the bytestring library. http://hackage.haskell.org/trac/ghc/ticket/7270
I strongly recommend not using GHC 7.6.1 and waiting for GHC 7.6.2 instead for the migration to GHC 7.6-series.
Given that GHC 7.6.2 is out, could you please check if the bug is fixed?
Ah, yeah. I should be able to check that out soon.
Just ran into this. Can confirm that updating to GHC 7.6.3 fixes the issue.
I'm pretty sure we (I work with @ckw) checked ghc 7.6.2 and it was fixed in there also.
Yes, it's fixed in 7.6.2.
Are there any other situations that could lead to this problem? I'm seeing this with ghc 7.6.3 though I'm not sure if I'm just setting my credentials wrong or...
I found it was just a typo in the bucket name.