aws-sdk-java-v2 icon indicating copy to clipboard operation
aws-sdk-java-v2 copied to clipboard
verified publisher icon aws

Provide a way to omit "x-amz-content-sha256"-Header creation by AwsV4HttpSigner

Open schabe77 opened this issue 1 year ago • 1 comments

Describe the feature

AwsV4HttpSigner should have an option / signer property that prevents creation of "x-amz-content-sha256"-Header.

Use Case

I currently use software.amazon.awssdk.auth.signer.Aws4Signer to sign my requests to API Gateways. But since it's deprecated I wanted to switch to the proposed software.amazon.awssdk.http.auth.aws.signer.AwsV4HttpSigner.

Unfortunately the requests don't work anymore with the new signer, I always get a "403 Forbidden" response. After having a look at the generated headers I found out that the problem seems to be the "x-amz-content-sha256"-Header that is created by AwsV4HttpSigner (and used for the signature) but not by the deprecated Aws4Signer. Without the header the request works, with the header it doesn't.

I also tried to prevent the payload signing by using .putProperty(AwsV4FamilyHttpSigner.PAYLOAD_SIGNING_ENABLED, Boolean.FALSE) but this only results in a x-amz-content-sha256: UNSIGNED-PAYLOAD header that the API-Gateway also doesn't seem to like.

Proposed Solution

I don't know what to suggest.

I first thought of a new signer property, like CONTENT_HASHING_HEADER_ENABLED. The problem with a new property could be that it could collide with the existing AwsV4FamilyHttpSigner.PAYLOAD_SIGNING_ENABLED (PAYLOAD_SIGNING_ENABLED=true, CONTENT_HASHING_HEADER_ENABLED=false)

After having a look at the signer classes I found out that the contentHash is a really essential part of the signing process. So actually I don't know how to circumvent the problems that occur when accessing the execute-api

Other Information

Maybe it's already possible to prevent the header. I didn't find a way and my request https://github.com/aws/aws-sdk-java-v2/discussions/5566 wasn't answered.

Acknowledgements

  • [ ] I may be able to implement this feature request
  • [ ] This feature might incur a breaking change

AWS Java SDK version used

2.27.20

JDK version used

openjdk version "22.0.2" 2024-07-16

Operating System and version

macOS 14.6.1 (23G93)

schabe77 avatar Sep 10 '24 13:09 schabe77

I think the best way to avoid the problem would be for the API gateway to accept the x-amz-content-sha256 header. But I don't know where to make this suggestion.

schabe77 avatar Sep 10 '24 13:09 schabe77

I have the same issue with Java SDK version 2.31.77 for Prometheus Ingestion endpoint, although for query endpoint I see that with EnvironmentVariableCredentialsProvider and long term AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY works, but when I use WebIdentityTokenFileCredentialsProvider I get 403 Forbidden. I checked the service account and the role policies, and trust permissions and everything looks good, and the token in present in the file.

eduardscaueru avatar Jul 16 '25 12:07 eduardscaueru

I don't know if it has something to do with the SIGv4a for REST APIs-Change in API Gateway Changelog, but now my API-Gateway-Requests signed with AwsV4HttpSigner are accepted.

schabe77 avatar Dec 11 '25 13:12 schabe77

This issue is now closed. Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.

github-actions[bot] avatar Dec 11 '25 13:12 github-actions[bot]