Failed to create new s3 bucket with secretless broker for aws

[myeung18]

Summary

I am trying secretless broker at my local to access aws s3 buckets, I can list the buckets fine, but I can’t create any new bucket. is this a bug?

I tried aws cli w/o secretless broker in between to create bucket, and it works fine. I am using the same account as above, and it is an admin.

Steps to Reproduce

Steps to reproduce the behavior:

➜  aws alias | grep aws
aws='AWS_ACCESS_KEY_ID=nothing AWS_SECRET_ACCESS_KEY=nothing AWS_DEFAULT_REGION=us-east-1 aws --endpoint-url http://secretless.empty'

➜  aws HTTP_PROXY=http://localhost:8080 aws s3 ls
2021-10-17 17:57:39 book2021
2017-02-19 11:47:24 iampolobucket
2021-10-16 14:55:19 testbug-os

➜  aws HTTP_PROXY=http://localhost:8080 aws s3 mb s3://bookttttt
make_bucket failed: s3://bookttttt An error occurred (SignatureDoesNotMatch) when calling the CreateBucket operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

------
❯ go run cmd/secretless-broker/main.go -f ./secretless.yml -debug
2021/10/17 18:07:04 Secretless v1.7.6-dev starting up...
2021/10/17 18:07:04 Initializing health check on :5335...
2021/10/17 18:07:04 Initialization of health check done. You can access the endpoint at `/live` and `/ready`.
2021/10/17 18:07:04 [WARN]  Plugin directory '/usr/local/lib/secretless' not found. Ignoring external plugins...
2021/10/17 18:07:04 Trying to load configuration file: ./secretless.yml
2021/10/17 18:07:04 [DEBUG] Waiting for new configuration...
2021/10/17 18:07:04 [INFO]  Configuration found. Loading...
2021/10/17 18:07:04 [INFO]  Validating config against available plugins: ssh,ssh-agent,pg,mysql,mssql,aws,basic_auth,conjur,generic_http
2021/10/17 18:07:04 [INFO]  Starting HTTP listener on 0.0.0.0:8080...
2021/10/17 18:07:04 Registering reload signal listeners...
2021/10/17 18:07:04 [INFO]  Starting HTTP subservice aws...
2021/10/17 18:07:05 [INFO]  HTTP Proxy on tcp://0.0.0.0:8080: Starting service
2021/10/17 18:07:05 [DEBUG] Waiting for new configuration...
2021/10/17 18:07:16 [DEBUG] HTTP Proxy on tcp://0.0.0.0:8080: Got request / secretless.empty GET secretless.empty
2021/10/17 18:07:16 [DEBUG] HTTP Proxy on tcp://0.0.0.0:8080: Using connector 'aws' for request secretless.empty
2021/10/17 18:07:16 Instantiating provider 'literal'
2021/10/17 18:07:16 [DEBUG] http-aws: Signing for service=s3 region=us-east-1
2021/10/17 18:07:16 [DEBUG] HTTP Proxy on tcp://0.0.0.0:8080: Received response status: 200 OK
2021/10/17 18:07:28 [DEBUG] HTTP Proxy on tcp://0.0.0.0:8080: Got request /bookttttt secretless.empty PUT secretless.empty
2021/10/17 18:07:28 [DEBUG] HTTP Proxy on tcp://0.0.0.0:8080: Using connector 'aws' for request secretless.empty
2021/10/17 18:07:28 [DEBUG] http-aws: Signing for service=s3 region=us-east-1
2021/10/17 18:07:28 [DEBUG] HTTP Proxy on tcp://0.0.0.0:8080: Received response status: 403 Forbidden

---------------------
version: 2

services:
  http-aws:
    connector: aws
    listenOn: tcp://0.0.0.0:8080
    credentials:
      accessKeyId: xxx
      secretAccessKey: xxxx
    config:
      authenticateURLsMatching:
        - ".*"

Expected Results

should be able to perform whatever the account is able to do with the returned connection.

Actual Results (including error logs, if applicable)

The aws connection created/returned from secretless broker should be no difference to the connection created without the secretless broker.

Additional Information

Add any other context about the problem here.

[doodlesbykumbi]

Hi @myeung18. Thanks for creating this issue.

I was able to reproduce this bug. It looks like we were not limiting the headers used for request-signing in Secretless to those used to sign the original request. I have a pull request up to fix this, over at #1432. I've tested it locally and confirmed that the fix works.

Once it is reviewed by the team and merged it should make its way into the next release. Please do create a build from the branch and evaluate it, it would help to get sign off from your side that the changes fix the issue.