S3Sync.net
February 02, 2014, 01:19:19 PM *
Welcome, Guest. Please login or register.

Login with username, password and session length
 
   Home   Help Search Login Register  
Pages: [1]
  Print  
Author Topic: SignatureDoesNotMatch/403 Forbidden (s3sync, s3cmd is fine)  (Read 6595 times)
knitter
Newbie
*
Posts: 3


View Profile
« on: January 25, 2009, 02:37:04 AM »

I was trying to figure out why my s3sync commands tonite would not succeed.  I suddenly started getting SignatureDoesNotMatch errors.  After some testing with s3cmd and performing few packet traces I found that s3sync adds some x-amz headers to the PUT calls, whereas s3cmd does not.

Perplexed by this, I looked up the documentation and found at http://docs.amazonwebservices.com/AmazonS3/latest/index.html?RESTAuthentication.html#RESTAuthenticationExamples that it states you HAVE to calculate your Authorization Signature by including specific information which includes the x-amz headers, which s3sync IS doing properly.

What has changed (cause this worked previously) appears to be on Amazon's side because my same backups used to work flawlessly.  I removed the logic from the S3.rb file in the S3.canonical_string() function which includes the AMAZON_HEADER_PREFIX by simply changing the line of code to:

    lk =~ /^x#{AMAZON_HEADER_PREFIX}/o)

Adding the "x" at the beginning made it not match, and now the x-amz headers are no longer used in the Authentication Signature calculation.

Why would this have changed at Amazon?  Note the link above which makes this a requirement is a reference to the "latest" documents...

Thoughts?


Logged
ferrix
Sr. Member
****
Posts: 363


(I am greg13070 on AWS forum)


View Profile
« Reply #1 on: January 26, 2009, 07:21:13 PM »

Signing has always been black box to me.  Did they update the "example" ruby libraries?  Maybe I need to merge in changes.

I'm concerned about possibly breaking existing functionality.  Can anyone else comment on this change?  My own backups seem as fine as usual.  But I'm not setting x-amz-acl or anything like that..
Logged
knitter
Newbie
*
Posts: 3


View Profile
« Reply #2 on: January 26, 2009, 08:03:41 PM »

Yeah, nothing changed on my end.

FWIW, I'm running on Windows.  I can provide more specifics if you want to do some negative testing.

Perhaps an s3sync config could be added for "include amz headers in signature calculation" in case this flip flops more?  Modifying code is probably beyond most people, and it did indeed take me about 3 hours to dig out that needle form the haystack! Smiley

HTH!
Logged
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!