aws-sdk-go-v2 icon indicating copy to clipboard operation
aws-sdk-go-v2 copied to clipboard

Published 20 hours ago verified publisher icon aws

AnonymusCredentials is not respected by S3 API

Open Skarlso opened this issue 3 years ago • 3 comments

Describe the bug

This example from the config:

     cfg, err := config.LoadDefaultConfig(context.TODO(),
          config.WithCredentialsProvider(aws.AnonymousCredentials{}),
     )
     if err != nil {
          log.Fatalf("failed to load config, %v", err)
     }

     client := s3.NewFromConfig(cfg)

Appears to be not working. I'm continuously getting:

failed to download object: failed to download object: operation error S3: GetObject, https response error StatusCode: 400, RequestID: P1798PT7VKT91F2G, HostID: 8n/QxzsA2zbydvxcRYEEv1Q/N+MEEdKb1jVR9VfY2JeWQENJSFExcl7UPAI/Tqvwwo2MpaK7vdEVpuF40TuTqw==, api error AuthorizationHeaderMalformed: The authorization header is malformed; a non-empty Access Key (AKID) must be provided in the credential.

I don't know what else to do with this.

The AWS cli works:

aws s3api get-object --bucket skarlso-test-bucket-01 --key file.tar.gz file.tar.gz --no-sign-request

This does download my file.

The SDK does not. I cleared my environment from credentials.

Expected Behavior

That it works.

Current Behavior

It does not.

Reproduction Steps

code:

        ctx := context.Background()
	opts := []func(*config.LoadOptions) error{
		config.WithRegion(region),
	}
	if creds != nil {
		opts = append(opts, config.WithCredentialsProvider(awscreds.StaticCredentialsProvider{
			Value: aws.Credentials{
				AccessKeyID:     creds.AccessKeyID,
				SecretAccessKey: creds.AccessSecret,
			},
		}))
	} else {
		opts = append(opts, config.WithCredentialsProvider(aws.AnonymousCredentials{}))
	}
	cfg, err := config.LoadDefaultConfig(ctx, opts...)
	if err != nil {
		return nil, err
	}
	client := s3.NewFromConfig(cfg)
	downloader := manager.NewDownloader(client)

	var blob []byte
	buf := manager.NewWriteAtBuffer(blob)

	input := &s3.GetObjectInput{
		Bucket: aws.String(bucket),
		Key:    aws.String(key),
	}
	if version != "" {
		input.VersionId = aws.String(version)
	}
	if _, err := downloader.Download(ctx, buf, input); err != nil {
		return nil, fmt.Errorf("failed to download object: %w", err)
	}

Possible Solution

No response

Additional Information/Context

No response

AWS Go SDK V2 Module Versions Used

latest

Compiler and Version used

go1.19

Operating System and version

osx

Skarlso avatar Aug 10 '22 09:08 Skarlso

I found what's causing the bug. If I explicitly set creds in the s3 client like this:

	client := s3.NewFromConfig(cfg, func(options *s3.Options) {
		options.Credentials = aws.AnonymousCredentials{}
	})

THEN it works. Meaning, the propagation of creds isn't quite working because cfg has been set up correctly beforehand. But that was not enough.

Skarlso avatar Aug 10 '22 11:08 Skarlso

Hi @Skarlso , I was able to confirm this is an issue.

Will update you when we have a fix ready.

RanVaknin avatar Aug 11 '22 22:08 RanVaknin

Fantastic! Thank you!

Skarlso avatar Aug 12 '22 04:08 Skarlso

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.

github-actions[bot] avatar Oct 21 '22 14:10 github-actions[bot]

Nice, well done! Thank you! :)

Skarlso avatar Oct 21 '22 19:10 Skarlso