S3 endpoints not working 5.19.6 and 5.20.3rc

Advertisement

mprewitt007
Joined:
Posts:
12
Location:
United States

S3 endpoints not working 5.19.6 and 5.20.3rc

Good Day,
We use S3 extensively and WinSCP is our preference.
Starting today we noticed that some of our buckets are getting this error:
The request signature we calculated does not match the signature you provided. Check your key and signing method.
I've posted the full error below and will upload a scrubbed log as well.
FileZilla Pro still works with no issue, and some S3 buckets work with no issue.
We've checked the IAM key and endpoints and tried this from other computers
The request signature we calculated does not match the signature you provided. Check your key and signing method.
Extra Details: AWSAccessKeyId: XXXXremovedXXXX, StringToSign: AWS4-HMAC-SHA256
20220602T163240Z
20220602/us-east-1/s3/aws4_request
98ae89429d771c6de6adac4db0063fb2a06be38c8ba0c36962586444e2b6f4ec, SignatureProvided: 51b7d1201f713d8cbf1ec3f586356b8a91da3960bda48ed1a2cb8a7fde3b4b92, StringToSignBytes: 41 57 53 34 2d 48 4d 41 43 2d 53 48 41 32 35 36 0a 32 30 32 32 30 36 30 32 54 31 36 33 32 34 30 5a 0a 32 30 32 32 30 36 30 32 2f 75 73 2d 65 61 73 74 2d 31 2f 73 33 2f 61 77 73 34 5f 72 65 71 75 65 73 74 0a 39 38 61 65 38 39 34 32 39 64 37 37 31 63 36 64 65 36 61 64 61 63 34 64 62 30 30 36 33 66 62 32 61 30 36 62 65 33 38 63 38 62 61 30 63 33 36 39 36 32 35 38 36 34 34 34 65 32 62 36 66 34 65 63, CanonicalRequest: GET
/XXXXX bucketname removed xxx/
delimiter=%2F&max-keys=1&prefix=ingest%2F
host:s3.amazonaws.com
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date:20220602T163240Z

host;x-amz-content-sha256;x-amz-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855, CanonicalRequestBytes: 47 45 54 0a 2f 74 65 6e 61 6e 74 2d 64 72 6f 70 31 34 2d 6f 64 6f 6e 6e 65 6c 6c 63 68 72 69 73 74 6f 70 68 65 72 2d 65 64 64 6d 2f 0a 64 65 6c 69 6d 69 74 65 72 3d 25 32 46 26 6d 61 78 2d 6b 65 79 73 3d 31 26 70 72 65 66 69 78 3d 69 6e 67 65 73 74 25 32 46 0a 68 6f 73 74 3a 73 33 2e 61 6d 61 7a 6f 6e 61 77 73 2e 63 6f 6d 0a 78 2d 61 6d 7a 2d 63 6f 6e 74 65 6e 74 2d 73 68 61 32 35 36 3a 65 33 62 30 63 34 34 32 39 38 66 63 31 63 31 34 39 61 66 62 66 34 63 38 39 39 36 66 62 39 32 34 32 37 61 65 34 31 65 34 36 34 39 62 39 33 34 63 61 34 39 35 39 39 31 62 37 38 35 32 62 38 35 35 0a 78 2d 61 6d 7a 2d 64 61 74 65 3a 32 30 32 32 30 36 30 32 54 31 36 33 32 34 30 5a 0a 0a 68 6f 73 74 3b 78 2d 61 6d 7a 2d 63 6f 6e 74 65 6e 74 2d 73 68 61 32 35 36 3b 78 2d 61 6d 7a 2d 64 61 74 65 0a 65 33 62 30 63 34 34 32 39 38 66 63 31 63 31 34 39 61 66 62 66 34 63 38 39 39 36 66 62 39 32 34 32 37 61 65 34 31 65 34 36 34 39 62 39 33 34 63 61 34 39 35 39 39 31 62 37 38 35 32 62 38 35 35, RequestId: GCBFKH2SK2H5R9KG, HostId: P0k6v48phktgDYZSstp98aLtyfO4LXS6d7vp8tzaycDGgV6nnidsg0AzVrFrpqPIoIuNXDH0KgI=
Connection failed.
  • session@s3.amazonaws.com.log (42.38 KB, Private file)

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,442
Location:
Prague, Czechia

Re: S3 endpoints not working 5.19.6 and 5.20.3rc

Thanks for your report. Would you able to reproduce the problem with some test public bucket that you can share with us?

Reply with quote

mprewitt007
Joined:
Posts:
12
Location:
United States

s3 endpoint issues

Do you have a public test bucket in mind as none of our buckets are public.
We are able to access some bucket.
We did isolate that accelerated endpoints are not working.
Normal s3 some work, some don't.
All our buckets are in east-1.
The ones we have working have an aws transfer in front of them, so are using ppks for authentication instead of accesskey & secrets.
I have a client who can access it, but it drops connection every so often without retrying and he's having to manually reconnect. He's using 5.20rc3

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,442
Location:
Prague, Czechia

Re: s3 endpoint issues

mprewitt007 wrote:

Do you have a public test bucket in mind as none of our buckets are public.
I understand that. I was asking you would be able to create a test public bucket that would have the problem.

The ones we have working have an aws transfer in front of them, so are using ppks for authentication instead of accesskey & secrets.
So actually does any S3 bucket work for you, when you are connecting using S3 protocol? The buckets you are accessing via SFTP are irrelevant to this problem.

Reply with quote

mprewitt007
Joined:
Posts:
12
Location:
United States

s3 buckets

Ok, after testing, only some buckets are not working, so we are double checking this.
We did realize that we were using an accelerated endpoint, not the default "s3.amazonaws.com"
We had accelerated a bucket, which provides a new bucket name.
Our other tools supported this, so we just assumed WinSCP did, but it apparently provides a 403 error in the logs using an accelerated path.
Is this a known issue?

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,442
Location:
Prague, Czechia

Re: s3 buckets

I have create a new bucket, enabled S3 transfer acceleration on it.

I've configured WinSCP to connect via s3-accelerate.amazonaws.com (instead of the default s3.amazonaws.com). But I still can work with the bucket without any problem.

Where do we differ? Can you post a session log file?

Reply with quote

ACG
Joined:
Posts:
8
Location:
NL

Same issue, don't know what to do

A supplier gave me the S3 endpoint and I am trying to connect with WinSCP but getting the following error
The request signature we calculated does not match the signature you provided. Check your key and signing method.
Extra Details: AWSAccessKeyId: XXXXremovedXXXX, StringToSign: AWS4-HMAC-SHA256
20231128T115438Z
20231128/eu-central-1/s3/aws4_request
f066766405090062e0cf5e71c50e2bf81e2b4a49a2a0612b01cef68fb0cca78b,
SignatureProvided: 5bd7a1b4d8167fb94d62d1e4a08f37e937a26bf0fb56e99538a8f60281f2ce39,
StringToSignBytes: 41 57 53 34 2d 48 4d 41 43 2d 53 48 41 32 35 36 0a 32 30 32 33 31 31 32 38 54 31 31 35 34 33 38 5a 0a 32 30 32 33 31 31 32 38 2f 65 75 2d 63 65 6e 74 72 61 6c 2d 31 2f 73 33 2f 61 77 73 34 5f 72 65 71 75 65 73 74 0a 66 30 36 36 37 36 36 34 30 35 30 39 30 30 36 32 65 30 63 66 35 65 37 31 63 35 30 65 32 62 66 38 31 65 32 62 34 61 34 39 61 32 61 30 36 31 32 62 30 31 63 65 66 36 38 66 62 30 63 63 61 37 38 62,
CanonicalRequest: GET
/[bucket subdirectory name/
max-keys=1
host:[bucket name].s3.eu-central-1.amazonaws.com
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date:20231128T115438Z

host;x-amz-content-sha256;x-amz-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,
CanonicalRequestBytes: 47 45 54 0a 2f 6b 70 6d 67 2f 0a 6d 61 78 2d 6b 65 79 73 3d 31 0a 68 6f 73 74 3a 69 63 2d 69 6e 74 65 67 72 61 74 69 6f 6e 73 2e 73 33 2e 65 75 2d 63 65 6e 74 72 61 6c 2d 31 2e 61 6d 61 7a 6f 6e 61 77 73 2e 63 6f 6d 0a 78 2d 61 6d 7a 2d 63 6f 6e 74 65 6e 74 2d 73 68 61 32 35 36 3a 65 33 62 30 63 34 34 32 39 38 66 63 31 63 31 34 39 61 66 62 66 34 63 38 39 39 36 66 62 39 32 34 32 37 61 65 34 31 65 34 36 34 39 62 39 33 34 63 61 34 39 35 39 39 31 62 37 38 35 32 62 38 35 35 0a 78 2d 61 6d 7a 2d 64 61 74 65 3a 32 30 32 33 31 31 32 38 54 31 31 35 34 33 38 5a 0a 0a 68 6f 73 74 3b 78 2d 61 6d 7a 2d 63 6f 6e 74 65 6e 74 2d 73 68 61 32 35 36 3b 78 2d 61 6d 7a 2d 64 61 74 65 0a 65 33 62 30 63 34 34 32 39 38 66 63 31 63 31 34 39 61 66 62 66 34 63 38 39 39 36 66 62 39 32 34 32 37 61 65 34 31 65 34 36 34 39 62 39 33 34 63 61 34 39 35 39 39 31 62 37 38 35 32 62 38 35 35,
RequestId: C8Q9PNXXHPQPEFC3,
HostId: K2MfMucDzIk9QXCnQivd6Lqb3Ssdoa4imfAFWMsggf4Rlbo/5Km2mnABYpvC9J4arLReUEr63Ag=
Connection failed.
I have checked the key and that is ok. Any idea?

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,442
Location:
Prague, Czechia

Re: Same issue, don't know what to do

@ACG: Are you sure you have the same issue? I.e. with accelerated endpoints? Anyway, please attach a full session log file showing the problem (using the latest version of WinSCP).

To generate the session log file, enable logging, log in to your server and do the operation and only the operation that causes the error. Submit the log with your post as an attachment. Note that passwords and passphrases not stored in the log. You may want to remove other data you consider sensitive though, such as host names, IP addresses, account names or file names (unless they are relevant to the problem). If you do not want to post the log publicly, you can mark the attachment as private.

Reply with quote

Advertisement

ACG
Joined:
Posts:
8
Location:
NL

The request signature we calculated does not match the signature you provided. Check your key and si

No sorry not using accelerated endpoints but the error is similar. Here the log.

I have already installed AWS CLI and can continue with that but still curious how the get it working in WinSCP.

Reply with quote

ACG

ic-integration is bucket name, kpmg is bucket subdirectory name. I forgot to hide these probably

I have tried a lot of different variants, also using remote directory, but none of these worked unfortunatly

Reply with quote

Advertisement

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,442
Location:
Prague, Czechia

Thanks.
  1. The awscli uses eu-central-1 region. That is not the default region. Did you configure it somehow? Wouldn't WinSCP work, if you configure it to use eu-central-1 by default? https://winscp.net/eng/docs/ui_login_s3
  2. The awslog shows only upload. Isn't it possible that you have only upload/write access to the bucket, but not read/listing permissions? Can you do ls in awscli? Can you post log for that?

Reply with quote

ACG
Joined:
Posts:
8
Location:
NL

  • I have set eu-central-1 in the Default region (Advanced Site Settings => S3 => Protocol options => Default region)
  • ls gives
    An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
    so that might be the issue for doing this with WinSCP

Reply with quote

Advertisement

You can post new topics in this forum