AWS Go SDK V2 Incompatibility: SignatureDoesNotMatch Error When Using LiveKit Egress with Supabase Storage

[xx77yy]

I confirm this is a bug with Supabase, not with my own application. (Verified by testing with different S3 clients).

the bug

Supabase Storage's S3-compatible API fails to validate request signatures from clients using the official AWS Go SDK V2, resulting in a 403 Forbidden error with the code SignatureDoesNotMatch. This occurs even when all credentials (Access Key, Secret Key), endpoint, region, bucket name, and force_path_style settings are confirmed correct.

The issue specifically arises because the Go SDK V2 appears to append SDK-internal query parameters (e.g., ?x-id=PutObject) to the request URL before signing, while Supabase's validation logic likely expects a signature based on the URL without these parameters. This discrepancy causes the signature mismatch.

This prevents services like LiveKit Cloud Egress (which internally uses the Go SDK V2) from successfully uploading files (e.g., recordings) to Supabase Storage.

Crucially, uploads using other SDKs like Python's boto3 (configured identically) succeed, confirming the core configuration and credentials are valid but highlighting the incompatibility specifically with the Go SDK V2's request format.

To Reproduce

Steps involve using a service built with AWS Go SDK V2, like LiveKit Egress:

Configure a service (e.g., LiveKit Cloud Egress) to upload files to a Supabase Storage bucket via the S3 API. Use valid Supabase S3 endpoint, region, bucket name, S3 Access Key ID, S3 Secret Key, and ensure force_path_style=true is active. Ensure the target Supabase bucket exists and has Storage Policies granting s3:PutObject permission to the S3 key used.

Trigger an upload operation from the service (e.g., start a LiveKit Egress recording).

Observe the upload failure in the service's logs (reporting SignatureDoesNotMatch).

Check the Supabase Dashboard -> Project -> Logs -> Storage Logs and find the corresponding PUT request.

See error: The log entry for the PUT request shows a 403 status code and the error code SignatureDoesNotMatch. The request URL in the log often includes an extra query parameter like ?x-id=PutObject.

(Optional Verification Step): Perform the same upload using Python's boto3 client with identical configuration (credentials, endpoint, region, bucket, addressing_style='path'). Observe that this upload succeeds.

Expected behavior

Supabase Storage should successfully validate the S3 request signature generated by clients using the AWS Go SDK V2 (including services like LiveKit Egress) and allow the file upload (PutObject) to complete successfully, returning a 2xx status code.

Supabase Storage Log Snippet (Failure): (Include the JSON log snippet you previously shared showing the 403 error, SignatureDoesNotMatch, and the URL with ?x-id=PutObject)

{ "event_message": "[..] | PUT | 403 | [Egress IP Address] | [Request Trace ID] | /s3/recordings/[Your Filename].ogg?x-id=PutObject | aws-sdk-go-v2/1.32.7...", // ... rest of relevant log entry ... "error": [ { "message": "The request signature we calculated does not match...", "code":"SignatureDoesNotMatch", ... } ], "req": [ { "url": "/s3/recordings/abc.ogg?x-id=PutObject" } ], "res": [ { "statusCode": 403 } ] // ... }

Service using Go SDK V2: LiveKit Cloud Egress (Managed service, uses aws-sdk-go-v2)

Verifying Client (Working): Python boto3 (e.g., v1.34.x) on [Your OS, e.g., Windows/macOS/Linux]

Version of Node.js/Python (if running agent): [Your Agent's Runtime, e.g., Python 3.11 / Node.js v18] (Less relevant to the core S3 bug)

Additional context

This directly prevents integration between LiveKit Cloud Egress and Supabase Storage, impacting users who want to store recordings in Supabase.

This appears to be the same root cause as discussed in Supabase Issue #577 ([https://github.com/supabase/storage-api/issues/577] ), where multiple users confirmed this incompatibility, explicitly mentioning LiveKit.

The key difference seems to be the Go SDK V2 appending query parameters like ?x-id=PutObject to the request URL before signing, which Supabase's current signature validation does not correctly handle.

As AWS Go SDK V1 is deprecated and tools migrate to V2, addressing this compatibility issue is crucial for Supabase Storage users relying on Go-based tools or services.

[simonnarang]

I am also experiencing this issue

[xx77yy]

I am also experiencing this issue

Hi @simonnarang Do you use Discord. i'm looking for some people who is working on ai agents. we can connect drop me mailor any of your handle

[AndikaAdfiyanElhaz]

it's been two months, can you tell me if the issue still happened?

[buri1]

is there any update on this topic? should be a quick fix i guess...

[arath36]

any update? Also experiencing this issue as well

[jw-source]

same issue

[Genzo0]

Same issue

[HugoPodworski]

Same issue

[gurinder1996]

same issue

[Dillusion]

Same issue

[nmithani1]

Experiencing the same issue as well, please take a look

[nmithani1]

@itslenny I am using the python client sdk supabase>=2.0.0, do I need to update any dependencies to resolve this issue, I am still seeing this issue below?

S3 upload failed: operation error S3: PutObject, https response error StatusCode: 403, RequestID: , HostID: , api error SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your key and signing method.