opal icon indicating copy to clipboard operation
opal copied to clipboard

Published 20 hours ago verified publisher icon permitio

Fetching policy bundle from AWS-S3 fails due to missing header

Open kbalthaser opened this issue 7 months ago • 1 comments

Describe the bug When the opal-server is configured to load a policy bundle remotely ( OPAL_POLICY_BUNDLE_SERVER_TYPE=AWS-S3), it signs the request using AWS Signature V4.

This header set is missing the required header x-amz-content-sha256. The request will fail.

Per https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html :

The x-amz-content-sha256 header is required for all AWS Signature Version 4 requests. It provides a hash of the request payload. If there is no payload, you must provide the hash of an empty string.

--
To Reproduce Configure opal server with ENV variables required to fetch from S3:

  • OPAL_POLICY_BUNDLE_SERVER_TOKEN_ID=someuser
  • OPAL_POLICY_SOURCE_TYPE=API
  • OPAL_POLICY_BUNDLE_SERVER_TYPE=AWS-S3
  • OPAL_POLICY_BUNDLE_URL=https://somebucket.s3.amazonaws.com
  • OPAL_POLICY_BUNDLE_SERVER_TOKEN=somesecret

The server will make a request, lacking the x-amz-content-sha256 header. The request will error out, with s3 returning an XML error message.

Expected behavior The opal-server should be adding the header x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 to the request. This is the checksum of an empty string, which is required for our read operation.

OPAL version

  • Version: [head]

kbalthaser avatar Nov 22 '23 20:11 kbalthaser