Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

aws_request_signing doesn't seem to work in cli nor sdk clients #37732

Open
niloyc opened this issue Dec 18, 2024 · 1 comment
Open

aws_request_signing doesn't seem to work in cli nor sdk clients #37732

niloyc opened this issue Dec 18, 2024 · 1 comment

Comments

@niloyc
Copy link

niloyc commented Dec 18, 2024

Trying to use awscliv2 or @aws-sdk/s3-client gives an error whereas doing a curl command works fine

I am trying to setup a envoy proxy to proxy calls to aws and came across the aws_request_signing http filter. However it doesn't seem to work when I run s3 commands through the cli. And also doesn't work when I use the s3-client from the official aws nodejs sdk. However doing a simple get request via curl works fine. Maybe this is not supported?

Here is the envoy config I am using, I have also provided AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to envoy containers env

  static_resources:
    listeners:
    - name: aws_listener
        address:
          socket_address:
            address: 0.0.0.0
            port_value: 9999
        filter_chains:
        - filters:
          - name: envoy.filters.network.http_connection_manager
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
              codec_type: AUTO
              stat_prefix: ingress_http
              route_config:
                name: local_route
                virtual_hosts:
                - name: app
                  domains:
                  - "*"
                  routes:
                  - match:
                      prefix: "/"
                    route:
                      cluster: s3_gateway
              http_filters:
              - name: envoy.filters.http.aws_request_signing
                typed_config:
                  "@type": type.googleapis.com/envoy.extensions.filters.http.aws_request_signing.v3.AwsRequestSigning
                  service_name: s3
                  region: eu-west-1
                  use_unsigned_payload: true
                  host_rewrite: s3.eu-west-1.amazonaws.com
                  match_excluded_headers:
                  - prefix: x-envoy
                  - prefix: x-forwarded
                  - exact: x-amzn-trace-id
              - name: envoy.filters.http.router
                typed_config:
                  "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
                  
    clusters:
      - name: s3_gateway
        connect_timeout: 0.25s
        type: LOGICAL_DNS
        dns_lookup_family: V4_ONLY
        lb_policy: ROUND_ROBIN
        load_assignment:
          cluster_name: s3_gateway
          endpoints:
          - lb_endpoints:
            - endpoint:
                address:
                  socket_address:
                    address: s3.eu-west-1.amazonaws.com
                    port_value: 443
        transport_socket:
          name: envoy.transport_sockets.tls
          typed_config:
            "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
            sni: "*.amazonaws.com"

Running a curl command works fine

curl localhost:9999
<?xml version="1.0" encoding="UTF-8"?>
<ListAllMyBucketsResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/">.....list..of..buckets......</ListAllMyBucketsResult>

But running using awscliv2 doesnt.

aws s3 ls --endpoint-url=http://localhost:9999
An error occurred (AuthorizationHeaderMalformed) when calling the ListBuckets operation: The authorization header is malformed; the authorization header requires three components: Credential, SignedHeaders, and Signature.

Same with the nodejs aws-sdk

import { ListBucketsCommand, S3Client } from "@aws-sdk/client-s3";

const s3Client = new S3Client({
  region: "eu-west-1",
  endpoint: "http://localhost:9999",
  credentials: {
    accessKeyId: "test",
    secretAccessKey: "test"
  }
});

const callS3 = async () => {
  const result = await s3Client.send(new ListBucketsCommand({}));
  console.log(result);
};

callS3();

Results in,

AuthorizationHeaderMalformed: The authorization header is malformed; the authorization header requires three components: Credential, SignedHeaders, and Signature.
@niloyc niloyc added the triage Issue requires triage label Dec 18, 2024
@adisuissa adisuissa added area/aws_request_signing and removed triage Issue requires triage labels Dec 18, 2024
@adisuissa
Copy link
Contributor

cc @suniltheta @nbaws as codeowners

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants