3

We're creaeing amazon S3 signed urls using (com.amazonaws:aws-java-sdk version 1.11.18) -

AmazonS3 s3 = new AmazonS3Client(credentials);
s3.generatePresignedUrl(bucketName, objectName, expiration, method);

We expect to get a signed url that contains a query parameter called “signature” (v2 signing).

We noticed that in our servers, some requests result in v4 signing - where we unexpectedly get an "x-amz-signature” query parameter as part of the signed url.

Once this starts - it’s reproducible on the server for the same requested s3 object. However, requests to sign other objects will still sign using v2. Restarting the tomcat service on the broken server “fixes” the issue.

Any idea what could cause the library to start signing some objects with v4?

Dror Fichman
  • 1,559
  • 1
  • 14
  • 16
  • Not all regions/buckets support V2... are you signing requests for objects in multiple buckets across multiple regions? – Michael - sqlbot Dec 07 '17 at 13:59
  • Multiple buckets in the same region, where V2 signing has always worked – Dror Fichman Dec 23 '17 at 11:54
  • Note that certain new features require V4 signing in every region. I'm not saying that's directly related here but this may be an artifact of changes that have been introduced for forward-looking reasons, so fighting it might not be advisable. – Michael - sqlbot Dec 23 '17 at 15:48

1 Answers1

1

The issue was reproduced in the current version of the sdk (1.11.244). Eventually we went about manually setting the config -

s3 = new AmazonS3Client(credentials,
                    new ClientConfiguration().withSignerOverride("NoOpSignerType"));

We suspect that this behaviour was caused because of the internal implementation of the createSigner method, signs requests with V4 if the bucket is contained in the map. - 

private static final Map<String, String> bucketRegionCache
Dror Fichman
  • 1,559
  • 1
  • 14
  • 16