Skip to content

S3 session token authentication fails with AWS SDKs: SignatureDoesNotMatch error with JWT tokens #750

New issue
New issue
Closed
Closed
S3 session token authentication fails with AWS SDKs: SignatureDoesNotMatch error with JWT tokens#750
Labels
bugSomething isn't working
@Nordalf

Description

@Nordalf
Nordalf
opened on Aug 18, 2025

Bug report

  • I confirm this is a bug with Supabase, not with my own application.
  • I confirm I have searched the Docs, GitHub Discussions, and Discord.

Describe the bug

When using the S3-compatible storage with JWT session token authentication, both the Rust object_store crate and AWS SDK for JavaScript v3 fail with identical "SignatureDoesNotMatch" errors. The error message specifically states: "The request signature we calculated does not match the signature you provided. Check your credentials. The session token should be a valid JWT token."

This occurs despite:

  • Using correct credentials (project reference, publishable key, valid JWT)
  • JWT working successfully with Supabase's REST API
  • Generated S3 access/secret key pairs working perfectly
  • Proper AWS Signature Version 4 format being followed

The issue appears to be related to Supabase's S3 gateway incompatibility with modern AWS SDK implementations when processing JWT session tokens, similar to reported rclone issues where AWS SDK v2 fails but v1 works.

Note: Issue likely related to Supabase S3 gateway compatibility with modern AWS SDK signature implementations, as referenced in rclone issue where AWS SDK v2 fails but v1 works with Supabase S3.

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

Rust (object_store):

use object_store::aws::AmazonS3Builder;

let s3 = AmazonS3Builder::new()
    .with_endpoint("https://project-ref.supabase.co/storage/v1/s3")
    .with_access_key_id("project_ref")
    .with_secret_access_key("publishable_key")
    .with_token("jwt_session_token") // JWT from supabase.auth.getSession().access_token
    .with_virtual_hosted_style_request(false)
    .build()?;

// Any operation fails
let result = s3.list(None).await; // Returns SignatureDoesNotMatch error

JavaScript (AWS SDK v3):

import { S3Client, ListObjectsV2Command } from '@aws-sdk/client-s3';

const client = new S3Client({
  forcePathStyle: true,
  region: 'eu-north-1',
  endpoint: 'https://project-ref.supabase.co/storage/v1/s3',
  credentials: {
    accessKeyId: 'project_ref',
    secretAccessKey: 'supabase_anon_key',
    sessionToken: 'jwt_session_token', // Same JWT token
  },
});

const response = await client.send(new ListObjectsV2Command({
  Bucket: 'bucket-name',
  maxKeys: 10 // For testing purposes
})); // Throws SignatureDoesNotMatch error

Expected behavior

S3 operations using JWT session tokens should succeed when the JWT is valid and the user has appropriate RLS permissions, identical to how generated S3 access/secret key pairs currently work.

Screenshots

Not applicable

System information

  • OS: macOS
  • object_store: 0.12.2
  • AWS SDK for JavaScript: 3.864.0+
  • Supabase: Current (post-July 2025 JWT algorithm changes)
  • JWT Algorithm: ES256 (asymmetric signing)

Additional context

Using Supabase's generated S3 credentials (without JWT) works with identical code.

Issue likely related to Supabase S3 gateway compatibility with modern AWS SDK signature implementations, as referenced in rclone issue where AWS SDK v2 fails but v1 works with Supabase S3.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions