fog-aws presigned URLs can't GET object #476

New issue

sami · 2025-12-28T17:37:32Z

sami commented

2025-12-28 17:37:32 +00:00

Originally created by @roman-khimov on GitHub (Dec 17, 2024).

Originally assigned to: @smallhive on GitHub.

Current Behavior

GitLab can't fetch objects, it goes with

GET /gitlab-uploads/%40hashed/4e/07/4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/d641b448e9f53145e5bb5a6e20fb6917/image.png?response-content-disposition=inline%3B%20filename%3D%22image.png%22%3B%20filename%2A%3DUTF-8%27%27image.png&response-content-type=image%2Fpng&X-Amz-Expires=600&X-Amz-Date=20241217T100211Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=2i7FYHMcwNwktZ2bg6YvzTWohFpqXQZiEa3sayCJTc8Z0Eewc5G4BGHnu9f4Ccu8fWshFaVr5S4bC6fhzMnSfYzym%2F20241217%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=f4ba80e4155fc8ec3867b3da85d9b12b769c00044c8eb2a65f2a5918dc9c94b6

But it fails:

<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><Key>@hashed/4e/07/4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/d641b448e9f53145e5bb5a6e20fb6917/image.png</Key><BucketName>gitlab-uploads</BucketName><Resource>/gitlab-uploads/@hashed/4e/07/4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/d641b448e9f53145e5bb5a6e20fb6917/image.png</Resource><RequestId>4cbc44d2-b41b-4974-936b-5612c412735b</RequestId><HostId>c9ed11c7-020d-4d93-b282-39a41516e49a</HostId></Error>

It's a presigned URL, but somewhat special one. Gitlab uses https://github.com/fog/fog-aws

Expected Behavior

Success.

Possible Solution

Fix it.

Steps to Reproduce

Configure GL to store objects in some network available via S3 gateway, add an image, try fetching it.

Context

Happens in production.

Your Environment

Version of the product used: 0.33.0
Operating System and version (uname -a): Debian stable

Originally created by @roman-khimov on GitHub (Dec 17, 2024). Originally assigned to: @smallhive on GitHub. ## Current Behavior GitLab can't fetch objects, it goes with ``` GET /gitlab-uploads/%40hashed/4e/07/4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/d641b448e9f53145e5bb5a6e20fb6917/image.png?response-content-disposition=inline%3B%20filename%3D%22image.png%22%3B%20filename%2A%3DUTF-8%27%27image.png&response-content-type=image%2Fpng&X-Amz-Expires=600&X-Amz-Date=20241217T100211Z&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=2i7FYHMcwNwktZ2bg6YvzTWohFpqXQZiEa3sayCJTc8Z0Eewc5G4BGHnu9f4Ccu8fWshFaVr5S4bC6fhzMnSfYzym%2F20241217%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-SignedHeaders=host&X-Amz-Signature=f4ba80e4155fc8ec3867b3da85d9b12b769c00044c8eb2a65f2a5918dc9c94b6 ``` But it fails: ``` <Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><Key>@hashed/4e/07/4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/d641b448e9f53145e5bb5a6e20fb6917/image.png</Key><BucketName>gitlab-uploads</BucketName><Resource>/gitlab-uploads/@hashed/4e/07/4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce/d641b448e9f53145e5bb5a6e20fb6917/image.png</Resource><RequestId>4cbc44d2-b41b-4974-936b-5612c412735b</RequestId><HostId>c9ed11c7-020d-4d93-b282-39a41516e49a</HostId></Error> ``` It's a presigned URL, but somewhat special one. Gitlab uses https://github.com/fog/fog-aws ## Expected Behavior Success. ## Possible Solution Fix it. ## Steps to Reproduce Configure GL to store objects in some network available via S3 gateway, add an image, try fetching it. ## Context Happens in production. ## Your Environment * Version of the product used: 0.33.0 * Operating System and version (`uname -a`): Debian stable

sami

2025-12-28 17:37:32 +00:00

closed this issue
added the
bug

S4

I4

U1
labels

sami commented

2025-12-28 17:37:32 +00:00

@roman-khimov commented on GitHub (Dec 18, 2024):

Related to #39, #529. References:

@roman-khimov commented on GitHub (Dec 18, 2024): Related to #39, #529. References: * https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/aws/signer/v4#hdr-Pre_escaping_a_request_URI * https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/aws/signer/v4#SignerOptions

Sign in to join this conversation.