Cloud Bucket Access via Amazon S3 URL Signing v4 Not Working for Explicit Bucket Domain [62410187]

Fixed

Bug

Status Update

No update yet.

Description

rd...@gmail.com

created issue #1

Jun 7, 2017 04:04PM

Issue Description: When using URL signing to access google cloud storage bucket, the signing process works if we use

storage.googleapis.com/bucket/ but not if we use

bucket.storage.googleapis.com. For our use case we need the signing method to work for the explicit bucket domain name.

Ref Other Users with Same Issue:

https://github.com/saltstack/salt/issues/31522
AWS S3 Signing v4 Documentation:

http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
Google Cloud Documentation on Signing:

https://cloud.google.com/storage/docs/access-control/signed-urls#top_of_page

Comments

nh...@google.com <nh...@google.com> Jun 8, 2017 01:15PM

Assigned to ma...@google.com.

rd...@gmail.com <rd...@gmail.com> #2Jun 21, 2017 12:45PM

Any update on an ETA to complete?

ma...@google.com <ma...@google.com> #3Jun 28, 2017 09:46PM

Marked as fixed.

We tracked the problem down to an upstream component canonicalizing the request URI to the /bucket/object form, which was breaking the signature. We've plumbed the original URI down to use in the signature, so it should be working now.

mm...@2bn.net <mm...@2bn.net> #4Jun 28, 2017 09:57PM

I am still not able to access domain-based buckets directly (Works as

storage.googleapis.com/domain.bucket.com/object, but not

domain.bucket.com/object), I still just get a signature error.

Also, as a side note, AWS gives more debug output in their error that makes it much easier to debug this issue.

ma...@google.com <ma...@google.com> #5Jun 28, 2017 10:46PM

Status: Assigned (reopened)

Thanks for checking Matt. The API should return the string to sign GCS calculated. We can also return the calculated Canonical Request, is there anything else that would be helpful?

mm...@2bn.net <mm...@2bn.net> #6Jun 28, 2017 11:08PM

I think the string to sign and the canonical request are what AWS returns when it throws the same error, and having the canonical request would be hugely helpful in this case. I don't have perms to see the 63114020 issue you added as a blocker, is that an issue for the domain buckets?

rd...@gmail.com <rd...@gmail.com> #7Jul 17, 2017 05:06PM

Just checking back on this. Any status update?

ma...@google.com <ma...@google.com> #8Jul 17, 2017 08:22PM

We have the fix working in our test environment, but it's waiting for rollout to production. It's stacked up behind several other changes, but I'll update here once the rollout starts. We're looking at ~3 weeks.

ma...@google.com <ma...@google.com> #9Aug 15, 2017 05:19PM

The fix is finally live! I just tested with the aws python example, and the

bucket.storage.googleapis.com form is working. Please let me know if it works for you.

Canonical Request: GET
/

host:

my-test-bucket.storage.googleapis.com
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date:20170815T171638Z

host;x-amz-content-sha256;x-amz-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
String To Sign: AWS4-HMAC-SHA256
20170815T171638Z
20170815/us-east-1/ec2/aws4_request
3dde853f8dbfa9194c3a63df51a970ecf4cc782270ba38a50ed5928d9e6a1a21

BEGIN REQUEST++++++++++++++++++++++++++++++++++++
Request URL =

https://my-test-bucket.storage.googleapis.com?

RESPONSE++++++++++++++++++++++++++++++++++++
Response code: 200

mm...@2bn.net <mm...@2bn.net> #10Aug 15, 2017 06:38PM

I'm just testing a basic GET, but I'm able to do that to a domain name bucket now as well, so looks better here.

ma...@google.com <ma...@google.com> #11Aug 16, 2017 02:25AM