opal
opal copied to clipboard
Fetching policy bundle from AWS-S3 fails due to missing header
Describe the bug
When the opal-server is configured to load a policy bundle remotely (
OPAL_POLICY_BUNDLE_SERVER_TYPE=AWS-S3
), it signs the request using AWS Signature V4.
This header set is missing the required header x-amz-content-sha256
. The request will fail.
Per https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html :
The x-amz-content-sha256 header is required for all AWS Signature Version 4 requests. It provides a hash of the request payload. If there is no payload, you must provide the hash of an empty string.
--
To Reproduce
Configure opal server with ENV variables required to fetch from S3:
-
OPAL_POLICY_BUNDLE_SERVER_TOKEN_ID=someuser
-
OPAL_POLICY_SOURCE_TYPE=API
-
OPAL_POLICY_BUNDLE_SERVER_TYPE=AWS-S3
-
OPAL_POLICY_BUNDLE_URL=https://somebucket.s3.amazonaws.com
-
OPAL_POLICY_BUNDLE_SERVER_TOKEN=somesecret
The server will make a request, lacking the x-amz-content-sha256
header. The request will error out, with s3 returning an XML error message.
Expected behavior
The opal-server should be adding the header x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
to the request. This is the checksum of an empty string, which is required for our read operation.
OPAL version
- Version: [head]