generate_presigned_url results in SignatureDoesNotMatch #2989
Assignees
Labels
guidance
Question that needs advice or information.
Comments
tim-finnigan
added
guidance
|
Hi @viktormill, thanks for reaching out. By default, the region is not included in the presigned URL as noted here: #1982 (comment). But some users have provided workarounds in that issue by setting In regard to the error your seeing, many people have suggested that setting the Config like this will solve the problem: Can you let us know if that worked? If you’re still seeing an issue, please send us the full debug logs (with sensitive information redacted) by adding |
tim-finnigan
added
response-requested
|
@tim-finnigan I think this is a DNS bug on AWS on bucket creation, Or Though If I wait for a few hours up to one day, the above fixes aren't needed. I also read that aws are planning to deprecate s3 path based urls: https://aws.amazon.com/blogs/aws/amazon-s3-path-deprecation-plan-the-rest-of-the-story/ So I assume that virtual based would be recommended? |
github-actions
bot
removed
the
response-requested
|
Hi @viktormill, thanks for your response. I was able to reproduce the Thanks again for raising visibility to this. I will discuss with the team and see if we can better document this scenario. Please let us know if you have any more questions or feedback. |
|
kleesc
added a commit
to kleesc/quay
that referenced
this issue
Feb 3, 2022
…JQUAY-3082) Boto3 behaves unexpectedly when the resource client is not set to use the correct region. Boto3 can't seem to correctly set the X-Amz-Credential header when generating presigned urls if the region name is not explicitly set, and will always fall back to us-east-1. To reproduce this: - Create a bucket in a different region from us-east-1 (e.g eu-north-1) - Create a boto3 client/resource without specifying the region - Generate a presigned url This seems to be a DNS issue with AWS that only happens shortly after a bucket has been created, and resolves itself eventually. To workaround this, one can explicitly specify the bucket endpoint. Ref: - boto/boto3#2989 - https://stackoverflow.com/questions/56517156/s3-presigned-url-works-90-minutes-after-bucket-creation
kleesc
added a commit
to kleesc/quay
that referenced
this issue
Feb 3, 2022
…JQUAY-3082) Boto3 behaves unexpectedly when the resource client is not set to use the correct region. Boto3 can't seem to correctly set the X-Amz-Credential header when generating presigned urls if the region name is not explicitly set, and will always fall back to us-east-1. To reproduce this: - Create a bucket in a different region from us-east-1 (e.g eu-north-1) - Create a boto3 client/resource without specifying the region - Generate a presigned url This seems to be a DNS issue with AWS that only happens shortly after a bucket has been created, and resolves itself eventually. To workaround this, one can explicitly specify the bucket endpoint. Ref: - boto/boto3#2989 - https://stackoverflow.com/questions/56517156/s3-presigned-url-works-90-minutes-after-bucket-creation
kleesc
added a commit
to kleesc/quay
that referenced
this issue
Feb 3, 2022
…JQUAY-3082) Boto3 behaves unexpectedly when the resource client is not set to use the correct region. Boto3 can't seem to correctly set the X-Amz-Credential header when generating presigned urls if the region name is not explicitly set, and will always fall back to us-east-1. To reproduce this: - Create a bucket in a different region from us-east-1 (e.g eu-north-1) - Create a boto3 client/resource without specifying the region - Generate a presigned url This seems to be a DNS issue with AWS that only happens shortly after a bucket has been created, and resolves itself eventually. Ref: - boto/boto3#2989 - https://stackoverflow.com/questions/56517156/s3-presigned-url-works-90-minutes-after-bucket-creation To workaround this, one can explicitly specify the bucket endpoint, either explicitly via endpoint_url, or by setting s3_region, which will be used to generate the bucket's virtual address.
kleesc
added a commit
to kleesc/quay
that referenced
this issue
Feb 3, 2022
…JQUAY-3082) Boto3 behaves unexpectedly when the resource client is not set to use the correct region. Boto3 can't seem to correctly set the X-Amz-Credential header when generating presigned urls if the region name is not explicitly set, and will always fall back to us-east-1. To reproduce this: - Create a bucket in a different region from us-east-1 (e.g eu-north-1) - Create a boto3 client/resource without specifying the region - Generate a presigned url This seems to be a DNS issue with AWS that only happens shortly after a bucket has been created, and resolves itself eventually. Ref: - boto/boto3#2989 - https://stackoverflow.com/questions/56517156/s3-presigned-url-works-90-minutes-after-bucket-creation To workaround this, one can specify the bucket endpoint, either explicitly via endpoint_url, or by setting s3_region, which will be used to generate the bucket's virtual address.
kleesc
added a commit
to kleesc/quay
that referenced
this issue
Feb 3, 2022
…JQUAY-3082) Boto3 behaves unexpectedly when the resource client is not set to use the correct region. Boto3 can't seem to correctly set the X-Amz-Credential header when generating presigned urls if the region name is not explicitly set, and will always fall back to us-east-1. To reproduce this: - Create a bucket in a different region from us-east-1 (e.g eu-north-1) - Create a boto3 client/resource without specifying the region - Generate a presigned url This seems to be a DNS issue with AWS that only happens shortly after a bucket has been created, and resolves itself eventually. Ref: - boto/boto3#2989 - https://stackoverflow.com/questions/56517156/s3-presigned-url-works-90-minutes-after-bucket-creation To workaround this, one can specify the bucket endpoint, either explicitly via endpoint_url, or by setting s3_region, which will be used to generate the bucket's virtual address.
kleesc
added a commit
to kleesc/quay
that referenced
this issue
Feb 3, 2022
…JQUAY-3082) Boto3 behaves unexpectedly when the resource client is not set to use the correct region. Boto3 can't seem to correctly set the X-Amz-Credential header when generating presigned urls if the region name is not explicitly set, and will always fall back to us-east-1. To reproduce this: - Create a bucket in a different region from us-east-1 (e.g eu-north-1) - Create a boto3 client/resource without specifying the region - Generate a presigned url This seems to be a DNS issue with AWS that only happens shortly after a bucket has been created, and resolves itself eventually. Ref: - boto/boto3#2989 - https://stackoverflow.com/questions/56517156/s3-presigned-url-works-90-minutes-after-bucket-creation To workaround this, one can specify the bucket endpoint, either explicitly via endpoint_url, or by setting s3_region, which will be used to generate the bucket's virtual address.
kleesc
added a commit
to kleesc/quay
that referenced
this issue
Feb 3, 2022
…JQUAY-3082) Boto3 behaves unexpectedly when the resource client is not set to use the correct region. Boto3 can't seem to correctly set the X-Amz-Credential header when generating presigned urls if the region name is not explicitly set, and will always fall back to us-east-1. To reproduce this: - Create a bucket in a different region from us-east-1 (e.g eu-north-1) - Create a boto3 client/resource without specifying the region - Generate a presigned url This seems to be a DNS issue with AWS that only happens shortly after a bucket has been created, and resolves itself eventually. Ref: - boto/boto3#2989 - https://stackoverflow.com/questions/56517156/s3-presigned-url-works-90-minutes-after-bucket-creation To workaround this, one can specify the bucket endpoint, either explicitly via endpoint_url, or by setting s3_region, which will be used to generate the bucket's virtual address.
kleesc
added a commit
to quay/quay
that referenced
this issue
Feb 3, 2022
…JQUAY-3082) (#1081) Boto3 behaves unexpectedly when the resource client is not set to use the correct region. Boto3 can't seem to correctly set the X-Amz-Credential header when generating presigned urls if the region name is not explicitly set, and will always fall back to us-east-1. To reproduce this: - Create a bucket in a different region from us-east-1 (e.g eu-north-1) - Create a boto3 client/resource without specifying the region - Generate a presigned url This seems to be a DNS issue with AWS that only happens shortly after a bucket has been created, and resolves itself eventually. Ref: - boto/boto3#2989 - https://stackoverflow.com/questions/56517156/s3-presigned-url-works-90-minutes-after-bucket-creation To workaround this, one can specify the bucket endpoint, either explicitly via endpoint_url, or by setting s3_region, which will be used to generate the bucket's virtual address.
openshift-cherrypick-robot
pushed a commit
to openshift-cherrypick-robot/quay
that referenced
this issue
Feb 7, 2022
…JQUAY-3082) Boto3 behaves unexpectedly when the resource client is not set to use the correct region. Boto3 can't seem to correctly set the X-Amz-Credential header when generating presigned urls if the region name is not explicitly set, and will always fall back to us-east-1. To reproduce this: - Create a bucket in a different region from us-east-1 (e.g eu-north-1) - Create a boto3 client/resource without specifying the region - Generate a presigned url This seems to be a DNS issue with AWS that only happens shortly after a bucket has been created, and resolves itself eventually. Ref: - boto/boto3#2989 - https://stackoverflow.com/questions/56517156/s3-presigned-url-works-90-minutes-after-bucket-creation To workaround this, one can specify the bucket endpoint, either explicitly via endpoint_url, or by setting s3_region, which will be used to generate the bucket's virtual address.
openshift-cherrypick-robot
pushed a commit
to openshift-cherrypick-robot/quay
that referenced
this issue
Feb 8, 2022
…JQUAY-3082) Boto3 behaves unexpectedly when the resource client is not set to use the correct region. Boto3 can't seem to correctly set the X-Amz-Credential header when generating presigned urls if the region name is not explicitly set, and will always fall back to us-east-1. To reproduce this: - Create a bucket in a different region from us-east-1 (e.g eu-north-1) - Create a boto3 client/resource without specifying the region - Generate a presigned url This seems to be a DNS issue with AWS that only happens shortly after a bucket has been created, and resolves itself eventually. Ref: - boto/boto3#2989 - https://stackoverflow.com/questions/56517156/s3-presigned-url-works-90-minutes-after-bucket-creation To workaround this, one can specify the bucket endpoint, either explicitly via endpoint_url, or by setting s3_region, which will be used to generate the bucket's virtual address.
kleesc
added a commit
to quay/quay
that referenced
this issue
Feb 14, 2022
…JQUAY-3082) (#1096) Boto3 behaves unexpectedly when the resource client is not set to use the correct region. Boto3 can't seem to correctly set the X-Amz-Credential header when generating presigned urls if the region name is not explicitly set, and will always fall back to us-east-1. To reproduce this: - Create a bucket in a different region from us-east-1 (e.g eu-north-1) - Create a boto3 client/resource without specifying the region - Generate a presigned url This seems to be a DNS issue with AWS that only happens shortly after a bucket has been created, and resolves itself eventually. Ref: - boto/boto3#2989 - https://stackoverflow.com/questions/56517156/s3-presigned-url-works-90-minutes-after-bucket-creation To workaround this, one can specify the bucket endpoint, either explicitly via endpoint_url, or by setting s3_region, which will be used to generate the bucket's virtual address. Co-authored-by: Kenny Lee Sin Cheong <kenny.lee28@gmail.com>
lbac-redhat
added a commit
to lbac-redhat/quay-docs
that referenced
this issue
Mar 15, 2024
Due to the boto3 issues (boto/boto3#2989) setting the X-Amz-Credential header, it is recommended to set either the `s3_region` or the `endpoint_url` when configuring an S3Storage provider. This commit adds a the `s3_region` field to all documented S3Storage examples.
lbac-redhat
added a commit
to lbac-redhat/quay-docs
that referenced
this issue
Mar 15, 2024
Due to the boto3 issues (boto/boto3#2989) setting the X-Amz-Credential header, it is recommended to set either the `s3_region` or the `endpoint_url` when configuring an S3Storage provider. This commit adds the `s3_region` field to all documented S3Storage examples in the documentation.
lbac-redhat
added a commit
to lbac-redhat/quay-docs
that referenced
this issue
Mar 15, 2024
Due to the boto3 issues (boto/boto3#2989) setting the X-Amz-Credential header, it is recommended to set either the `s3_region` or the `endpoint_url` field when configuring an S3Storage provider. This commit adds the `s3_region` field to all documented S3Storage examples in the documentation.
|
This is still happening in 2024. I have created this following script:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Calling generate_presigned_url in AWS region 'eu-north-1' results in error 'SignatureDoesNotMatch. The request signature we calculated does not match the signature you provided. Check your key and signing method.'
If calling generate_presigned_url in AWS region 'eu-west-1' this works fine.
The presigned url looks like this
https://my-bucket.s3.amazonaws.com/test.txt?X-Amz-Algorithm...Steps to reproduce
Using Boto3 version 1.17.78 and calling generate_presigned_url
Expected behavior
generate_presigned_url to include region in the presigned url e.g.
https://my-bucket.s3.eu-north-1.amazonaws.com/test.txt?X-Amz-Algorithm...Debug logs
'SignatureDoesNotMatch. The request signature we calculated does not match the signature you provided. Check your key and signing method.'
The text was updated successfully, but these errors were encountered: