S3 region ignored #31
Comments
|
Hi @Szasza! Can you rerun with |
|
Thank you for the quick response @benesch, it is much appreciated. It looks like that vagrant first tries to get the image without auth (no AWS params in the URL at the end of the start process line). Also, the error message for the 403 is misleading. INFO warden: Calling IN action: #VagrantPlugins::S3Auth::ExpandS3Urls:0x007f19f82d39f8 INFO warden: Calling IN action: #VagrantPlugins::LoginCommand::AddAuthentication:0x007f19f82d39a8 DEBUG client: Using authentication token from disk at /home/USER/.vagrant.d/data/vagrant_login_token INFO warden: Calling OUT action: #VagrantPlugins::LoginCommand::AddAuthentication:0x007f19f82d39a8 INFO warden: Calling OUT action: #VagrantPlugins::S3Auth::ExpandS3Urls:0x007f19f82d39f8 INFO box_add: Downloading box: https://BUCKETNAME.s3-ap-southeast-2.amazonaws.com/RESOURCEPATH => /home/USER/.vagrant.d/tmp/BOXID INFO downloader: HEAD: https://BUCKETNAME.s3-ap-southeast-2.amazonaws.com/RESOURCEPATH INFO subprocess: Starting process: ["/opt/vagrant/embedded/bin/curl", "-I", "-q", "--fail", "--location", "--max-redirs", "10", "--user-agent", "Vagrant/1.8.6 (+https://www.vagrantup.com; ruby2.2.5)", "--continue-at", "-", "-H", "Accept: application/json", "https://BUCKETNAME.s3-ap-southeast-2.amazonaws.com/RESOURCEPATH"] DEBUG subprocess: Selecting on IO DEBUG subprocess: stderr: % Total % Received % Xferd Average Speed Time Time Time Current DEBUG subprocess: stderr: curl: (22) The requested URL returned error: 403 Forbidden DEBUG subprocess: Waiting for process to exit. Remaining to timeout: 31999 DEBUG subprocess: Exit status: 22 WARN downloader: Downloader exit code: 22 S3 client configured for "us-east-1" but the bucket "BUCKETNAME" is in "ap-southeast-2"; Please configure the proper region to avoid multiple unnecessary redirects and signing attempts INFO downloader: s3auth: Discovered S3 URL: https://BUCKETNAME.s3-ap-southeast-2.amazonaws.com/RESOURCEPATH DEBUG downloader: s3auth: Bucket: "BUCKETNAME" DEBUG downloader: s3auth: Key: "RESOURCEPATH" INFO downloader: s3auth: Generating signed URL for HEAD INFO subprocess: Starting process: ["/opt/vagrant/embedded/bin/curl", "-I", "-q", "--fail", "--location", "--max-redirs", "10", "--user-agent", "Vagrant/1.8.6 (+https://www.vagrantup.com; ruby2.2.5)", "--continue-at", "-", "-H", "Accept: application/json", "https://BUCKETNAME.s3-ap-southeast-2.amazonaws.com/RESOURCEPATH?AWSPARAMS"] DEBUG subprocess: Selecting on IO DEBUG subprocess: stderr: % Total % Received % Xferd Average Speed Time Time Time Current DEBUG subprocess: stdout: HTTP/1.1 200 OK |
|
?! vagrant-s3auth always lets Vagrant give the box URL an unauthenticated try first. (Source: vagrant-s3auth/lib/vagrant-s3auth/extension/downloader.rb Lines 69 to 76 in f7e6a03 But it seems the rest of the output is quite alright! Does the box get added successfully and just print a warning message along the way? |
|
It explains it if vagrant-s3auth always gives the control to vagrant first, yes, the box gets addedd successfully apart from the message. In this case, the following would be more of a nice-to-have:
Your consideration is highly appreciated. |
|
Sorry for the delay—I just can't manage to repro this. It's quite possible that it's our internal AWS SDK that's generating that message, but I can't manage to trigger it on my machine. Does this happen if you use an S3 URL instead? E.g., s3://BUCKET/JSONPATH. |
|
I'm guilty as charged regarding the delay too. Yes, it happens with every type of URL, S3 included. There is no other vagrant plugin in use either. |
|
Hmmmmmmm. What version of Vagrant, what version of vagrant-s3auth, and what version of the OS are you using? |
|
Vagrant 1.8.6 |
|
Ahhh, finally managed to reproduce this. Sorry for the long delay! Turns out it's an upstream bug in the AWS SDK. I've filed a PR! aws/aws-sdk-ruby#1374 I assume your bucket doesn't include any periods ( |
The AWS SDK attempts to use host-style endpoints when the bucket name contains only DNS-compliant characters and no periods. (Names with periods break the SSL wildcard certificate.) Unfortunately, due to the implementation details of AWS Signature V4, the GetBucketLocation request now requires path-style endpoints, even when the bucket name is otherwise compatible with host-style endpoints. The AWS SDK has a bug, aws/aws-sdk-ruby#1374, that causes GetBucketLocation requests to be made with host-style endpoints instead of path-style endpoints. The AWS SDK catches the error and retries with the appropriate request, but prints an annoying warning in the process. This commit works around the issue for now, thus fixing #31.
|
Thank you @benesch for looking into the matter, it is much appreciated. |
|
Of course! vagrant-s3auth 1.3.1 (just released on Saturday) should solve the issue! |
Hi @benesch,
Problem: it seems that the S3 region is not being picked up from the box_url.
Example URL: https://BUCKETNAME.s3-ap-southeast-2.amazonaws.com/JSONPATH
Result: a message stating S3 client configured for "us-east-1" but the bucket "BUCKETNAME" is in "ap-southeast-2"; Please configure the proper region to avoid multiple unnecessary redirects and signing attempts
Expected result: box fetched directly from "ap-southeast-2"
The text was updated successfully, but these errors were encountered: