S3 PHP SDK using X-Amz-Expires results in "Request has expired" error

[atrauzzi]

Expected Behavior

Download of the file should commence within the time period specified.

Current Behavior

Minio is serving the following response:

<?xml version="1.0" encoding="UTF-8"?>
<Error>
    <Code>AccessDenied</Code>
    <Message>Request has expired</Message>
    <Key></Key>
    <BucketName></BucketName>
    <Resource>/files/3bd5da5e-4f72-4142-b43f-266f5f56f95f/original</Resource>
    <RequestId>3L137</RequestId>
    <HostId>3L137</HostId>
</Error>

Possible Solution

If we look at the code I'm using:

        // Carbon is a popular PHP utility library that subclasses the built-in `DateTime` type.
        $expiry = Carbon
            ::now()
            ->addSeconds(5);

And then if we look at the URI sent back by minio to the SDK:

Uri {#1073
  -scheme: "http"
  -userInfo: ""
  -host: "my.local.dev"
  -port: null
  -path: "/files/3bd5da5e-4f72-4142-b43f-266f5f56f95f/original"
  -query: "X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=local123%2F20180702%2Fglobal%2Fs3%2Faws4_request&X-Amz-Date=20180702T143813Z&X-Amz-SignedHeaders=host&X-Amz-Expires=5&X-Amz-Signature=eb0f5ce2a08e78f66a0936921ab7f6eb22f7153536bf8c78b29fa8cc118050ce"
  -fragment: ""
}

... you can see X-Amz-Expires=5, which I'm not sure is correct? Hard to say as nothing really outlines what kind of values should go in here. Of note is that if I increase the number of seconds in my code above up to 100, the download works.

This leaves me with the suspicion that somehow, minio is receiving the correct timestamp from the SDK, but the URI it sends back is either not correct, or it isn't interpreting the URI it sends back correctly. Rather than seconds, it might now be thinking it's milliseconds?

Steps to Reproduce (for bugs)

All that's necessary is to use the AWS PHP SDK to generate a signed URI with a time limit against minio.

Context

I would like to avoid streaming bytes directly from my worker nodes, so I am looking to facilitate a short window in which I can generate redirects to timed URIs against storage.

Your Environment

• Version used (minio version): Latest docker
• Environment name and version (e.g. nginx 1.9.1): PHP FPM 7.2, nginx, Laravel 5.6
• Server type and version: Linux
• Operating System and version (uname -a): Ubuntu

[kannappanr]

@atrauzzi One scenario where this can happen is that the clock on the client and the server is not in sync, which would explain why increasing the expire time helps in your case.

You can try a command similar to the following using mc and see if it works

google-chrome `mc --json share download --expire=5s play/testphp/issue | jq .share | tr -d '"'`

I have set an expiry time of 5 seconds. The s3 alias used here is play, the bucket used here is testphp and the object is called issue. You can check this command against play. You can also modify the command to connect to the server that you are testing against from the client machine where you are generating the pre-signed url link from.

Please let us know how it goes

[atrauzzi]

The server and client are both running on the same machine in my case.

[kannappanr]

@atrauzzi The docker container and the host machine are out of sync which is causing this issue. Can you please run ntp on the host machine, that should fix the issue.

[atrauzzi]

Related? docker/for-mac#2076

[kannappanr]

@atrauzzi There is definitely a time sync issue between the client and the server. In this case, it is the host machine and the docker container. If you can make sure that there is no time difference, you will not see this issue anymore. We will also make sure that there is allowed skew between the client and the server.

[atrauzzi]

Sounds good!

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.