aws-sdk-java icon indicating copy to clipboard operation
aws-sdk-java copied to clipboard
verified publisher icon aws

S3 - The authorization header is malformed; the region 'vpce' is wrong;

Open grochoge opened this issue 2 years ago • 3 comments

Describe the bug

I'm running into this via the Jenkins artifact-manager-s3-plugin, but it appears to ultimately coming from the Java SDK based on someone reporting the issue in aws-amplify/aws-sdk-android#3018.

Expected Behavior

S3 client works with VPC interface endpoints

Current Behavior

GET https://BUCKETNAME.bucket.vpce-0123456789abcdef0-tiydc1f7.s3.us-east-1.vpce.amazonaws.com/?delimiter=/&prefix=BUCKETPREFIX/ HTTP/1.1 failed with code 400, error: AWSError{requestId='XPPHVG85015KESAZ', requestToken='REDACTED', code='AuthorizationHeaderMalformed', message='The authorization header is malformed; the region 'vpce' is wrong; expecting 'us-east-1'', context='{Region=us-east-1, HostId=REDACTED}'}

Reproduction Steps

I have not tried yet, but I suspect adding the following test to aws-java-sdk-core/src/test/java/com/amazonaws/regions/EndpointToRegionTest.java should reproduce the issue but have yet to try:

    @Test
    public void guessRegionForHostname_returnsRegionFromS3VPCEndpoint() {
        verifyRegionAndPartitionForHostname("us-east-1", "aws", "bucketname.bucket.vpce-0123456789abcdef0-tiydc1f7.s3.us-east-1.vpce.amazonaws.com");
    }

Possible Solution

Fix region parsing

Additional Information/Context

No response

AWS Java SDK version used

1.12.586

JDK version used

OpenJDK Runtime Environment Temurin-17.0.9+9 (build 17.0.9+9)

Operating System and version

Docker image jenkins:lts-jdk17

grochoge avatar Dec 15 '23 00:12 grochoge

@grochoge thank you for reaching out. You are probably running into the same issue reported here - https://github.com/aws/aws-sdk-java/issues/2858#issuecomment-1272169388

The SDK 1.x logic that tries to guess the region from an endpoint does not work for vpce endpoints.

Which S3 API are you calling?

debora-ito avatar Dec 19 '23 01:12 debora-ito

In the case mentioned originally it's listing the bucket. But we'll also need getting/putting objects and creating signed URLs.

grochoge avatar Dec 20 '23 00:12 grochoge

we will forewed to senior

767604 avatar Dec 29 '23 10:12 767604

Hi @grochoge

This won't get fixed in v1. A workaround is provided in my comment here. V2 s3 client code is generated so I don't think this is an issue in v2, but if you see otherwise please open a new issue in the v2 repo.

Reference:

  • Announcing end-of-support for AWS SDK for Java v1.x effective December 31, 2025 - blog post

debora-ito avatar Jun 19 '24 00:06 debora-ito

This issue is now closed.

Comments on closed issues are hard for our team to see. If you need more assistance, please open a new issue that references this one.

github-actions[bot] avatar Jun 19 '24 00:06 github-actions[bot]