SignatureDoesNotMatch/403 Forbidden (s3sync, s3cmd is fine)

[knitter]

I was trying to figure out why my s3sync commands tonite would not succeed.  I suddenly started getting SignatureDoesNotMatch errors.  After some testing with s3cmd and performing few packet traces I found that s3sync adds some x-amz headers to the PUT calls, whereas s3cmd does not.

Perplexed by this, I looked up the documentation and found at http://docs.amazonwebservices.com/AmazonS3/latest/index.html?RESTAuthentication.html#RESTAuthenticationExamples that it states you HAVE to calculate your Authorization Signature by including specific information which includes the x-amz headers, which s3sync IS doing properly.

What has changed (cause this worked previously) appears to be on Amazon's side because my same backups used to work flawlessly.  I removed the logic from the S3.rb file in the S3.canonical_string() function which includes the AMAZON_HEADER_PREFIX by simply changing the line of code to:

    lk =~ /^x#{AMAZON_HEADER_PREFIX}/o)

Adding the "x" at the beginning made it not match, and now the x-amz headers are no longer used in the Authentication Signature calculation.

Why would this have changed at Amazon?  Note the link above which makes this a requirement is a reference to the "latest" documents...

Thoughts?

[ferrix]

Signing has always been black box to me.  Did they update the "example" ruby libraries?  Maybe I need to merge in changes.

I'm concerned about possibly breaking existing functionality.  Can anyone else comment on this change?  My own backups seem as fine as usual.  But I'm not setting x-amz-acl or anything like that..

[knitter]

Yeah, nothing changed on my end.

FWIW, I'm running on Windows.  I can provide more specifics if you want to do some negative testing.

Perhaps an s3sync config could be added for "include amz headers in signature calculation" in case this flip flops more?  Modifying code is probably beyond most people, and it did indeed take me about 3 hours to dig out that needle form the haystack!

HTH!