s3-resource icon indicating copy to clipboard operation
s3-resource copied to clipboard
verified publisher icon concourse

Check your key and signing method - Error

Open drduker opened this issue 7 years ago • 3 comments

I'm getting this error message when trying to get and put to an aws s3 bucket. Is there an option so that I can bypass this signature as a workaround without making the bucket public?

error running command: SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your key and signing method. status code: 403, request id: 82404AB544025563, host id: pfjz4AQkYTToR4vcMFEublahdsdsdd....VG10wmEQboetphIEav82L8w1c=

pipeline is configured as follows:

  • name: healthwatch-product-s3 type: s3 source: access_key_id: ((s3.access_key_id)) bucket: ((s3.buckets.product)) regexp: p-healthwatch-(.*).pivotal region_name: ((s3.region_name)) secret_access_key: ((s3.secret_access_key)) endpoint: ((s3.endpoint))

running on an upgraded concourse 4.2.1 bosh deployment version

drduker avatar Oct 23 '18 16:10 drduker

Also tried specifying this:

  • name: s3 type: docker-image source: repository: concourse/s3-resource tag: pr-105

and tried this:

  • name: s3 type: docker-image source: repository: concourse/s3-resource tag: 1.0.0

drduker avatar Oct 23 '18 17:10 drduker

I believe this might be related: https://github.com/aws/aws-sdk-php/issues/239

drduker avatar Oct 23 '18 17:10 drduker

ok, i think I found the cause. I’ve been playing around with how the files and folders work with both the “regexp” or the “versioned_file”. Versioning of the bucket does matter (you need to use the versioned_file param instead of regex), but what matters even more is that you cannot specify folders within a bucket as the bucket name like this in the params file: s3: access_key_id: ((aws_access_key_id)) region_name: “us-east-1” buckets: foo: “automation/foo/” bar: “automation/bar” secret_access_key: ((aws_secret_access_key)) endpoint: “s3-us-east-1.amazonaws.com”

if you do, it will only work partly as in the file will upload with v2 signing but the file check will not work. as a workaround I have just specified “automation” as the bucket for both s3.buckets.foo and s3.buckets.bar. And then in the regex i have added the folder to the beginning of the filename like so : “fo/ubuntu-trusty-vm.tgz”

If this folder specification cannot be corrected then i suggest that the error be updated.

drduker avatar Oct 23 '18 21:10 drduker