Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

An error occurred when calling the HeadBucket operation: Bad Request #896

Open
jwijffels opened this issue Feb 12, 2025 · 18 comments
Open

An error occurred when calling the HeadBucket operation: Bad Request #896

jwijffels opened this issue Feb 12, 2025 · 18 comments
Labels
bug 🐞 Something isn't working

Comments

@jwijffels
Copy link

With version paws.commons 0.8.1, paws.storage 0.8.0 and s3fs 0.1.7 I get for the following
This is not the case with paws.commons 0.7.7, paws.storage 0.7.0 and s3fs 0.1.7

Where should I look in order to try to debug this?
Is this related to #844?

library(s3fs)
s3fs = s3_file_system()
s3fs$file_exists("s3://path/to/some/file/xyz.parquet")

Error: SerializationError (HTTP 400). An error occurred when calling the HeadBucket operation: Bad Request
@DyfanJones
Copy link
Member

Sorry about that. To help me debugging this can you provide the region of your S3 bucket and the region the profile is set up as. I want to double check there isn't a redirect issue.

@jwijffels
Copy link
Author

I'm running in eu-west-3 running gitpod

Login to AWS is basically

gp idp login aws --role-arn "arn:aws:iam::99999999999:role/some-iam-usr-who-does-something" --duration-seconds 32400

aws sts get-caller-identity
{
    "UserId": "ABCDEFGHIJKLMNOPQ:labalabalabala-myproject-aloxqlrgtvh-543210987654321",
    "Account": "99999999999",
    "Arn": "arn:aws:sts::99999999999:assumed-role/some-iam-usr-who-does-something/labalabalabala-myproject-aloxqlrgtvh-543210987654321"
}

@DyfanJones
Copy link
Member

I initially thought it could be something weird with the bucket region but it looks like paws is working fine with it. I wasn't able to reproduce the error using my sso role. However it is using aws-cli to initialise the role.

options(paws.aws_sso_creds = T)
library(paws.storage)

sso_profile <- "paws_sso_profile"
region <- "eu-west-3"

client <- s3(config(credentials(profile = sso_profile), region = region))

bucket <- sprintf("paws_%s", paste(sample(letters, 8, T), collapse = ""))
key <- "to/some/file/xyz.txt"

client$create_bucket(
  Bucket = bucket,
  CreateBucketConfiguration = list(LocationConstraint = region)
)

resp <- client$put_object(
  Bucket = bucket,
  Key = key,
  Body = charToRaw("dummy data")
)

resp <- client$list_objects_v2(
  Bucket = bucket
)

resp <- client$head_object(
  Bucket = bucket,
  Key = key
)

resp <- client$delete_object(Bucket = bucket, Key = key)
library(s3fs)

s3_file_system(profile_name = sso_profile, region_name = region)

s3_dir_ls(s3_path(bucket))

s3_file_stream_out(charToRaw("dummy data"), s3_path(bucket, key))

s3_dir_ls(s3_path(bucket), recurse = T)

s3_file_exists(s3_path(bucket, key))

s3_file_delete(s3_path(bucket, key))

@jwijffels
Copy link
Author

How what would be the appropriate way to find out what credentials are being sent to AWS?
I see it eventually uses httr2 but I couldn't manage to step into the debugger of the appropriate function to see what is really sent and to trace it down.
I've tried to debugonce a few of these internals of s3fs$file_exists namely paws.common:::send_request but I never managed to step into the debugger of that one. Maybe because httr2 uses some delayed processing. If you can list me which internals you would inspect to see where it came from that would maybe help in making the example more clear.

@DyfanJones
Copy link
Member

You should be able to get to the logs using options(paws.log_level = 4L) this should set the log level to debug and it should output what is sent to aws

@jwijffels
Copy link
Author

In order to compare the output with what is sent with paws.commons 0.7.7, paws.storage 0.7.0 and s3fs 0.1.7 (where there is no BAD request), what would be the appropriate way to get what is sent to AWS using these versions, such that I can make the comparison between the 2?

@DyfanJones
Copy link
Member

Paws is able to log the request to aws:

paws.common 0.8.0:

options(paws.log_level = 4)
library(paws.storage)

sso_profile <- "paws"
bucket <- "paws-region"

client <- s3(config(credentials(profile = sso_profile)))

resp <- client$head_object(Bucket = bucket, Key = "to/some/file/xyz.txt")
DEBUG [2025-02-17 12:18:20.810]: -> HEAD /to/some/file/xyz.txt HTTP/1.1
-> Host: paws-region.s3.amazonaws.com
-> Accept: */*
-> Accept-Encoding: deflate, gzip
-> User-Agent: paws/0.8.1.9000 (R4.4.2; darwin20; aarch64)
-> Content-Length: 0
-> X-Amz-Date: 20250217T121820Z
-> X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
-> Authorization: AWS4-HMAC-SHA256 Credential=dummy/20250217/us-east-1/s3/aws4_request, SignedHeaders=content-length;host;x-amz-content-sha256;x-amz-date, Signature=b6447c9f07ef76a1e7449d0ca9d92145089714c3aab51820893f754aeeb690c0
-> 
DEBUG [2025-02-17 12:18:20.843]: <- HTTP/1.1 400 Bad Request
DEBUG [2025-02-17 12:18:20.844]: <- x-amz-request-id: PJN6FKT7MPSK4XPP
DEBUG [2025-02-17 12:18:20.844]: <- x-amz-id-2: Me1NQ6JN54fdPVSxZ+ngXKm/gm8yG4t2ptrmDsBQ8qVsWmuuLQ5+VSzZYRW+qHflR4a5/z/lqCj0LIa6P1i45smIb6M3dY/n
DEBUG [2025-02-17 12:18:20.844]: <- Content-Type: application/xml
DEBUG [2025-02-17 12:18:20.845]: <- Transfer-Encoding: chunked
DEBUG [2025-02-17 12:18:20.845]: <- Date: Mon, 17 Feb 2025 12:18:20 GMT
DEBUG [2025-02-17 12:18:20.860]: <- Connection: close
DEBUG [2025-02-17 12:18:20.861]: <- Server: AmazonS3
DEBUG [2025-02-17 12:18:20.861]: <- 
DEBUG [2025-02-17 12:18:20.951]: -> HEAD / HTTP/1.1
-> Host: paws-region.s3.amazonaws.com
-> Accept: */*
-> Accept-Encoding: deflate, gzip
-> User-Agent: paws/0.8.1.9000 (R4.4.2; darwin20; aarch64)
-> Content-Length: 0
-> X-Amz-Date: 20250217T121820Z
-> X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
-> Authorization: AWS4-HMAC-SHA256 Credential=dummy/20250217/us-east-1/s3/aws4_request, SignedHeaders=content-length;host;x-amz-content-sha256;x-amz-date, Signature=abf76401d7a2d6f5e81d5b2e2e4ecdec4aaac86bd01672564c1c96ade7a577b2
-> 
DEBUG [2025-02-17 12:18:21.012]: <- HTTP/1.1 400 Bad Request
DEBUG [2025-02-17 12:18:21.013]: <- x-amz-bucket-region: eu-west-3
DEBUG [2025-02-17 12:18:21.013]: <- x-amz-request-id: GHCA5DJFH1CZGWFD
DEBUG [2025-02-17 12:18:21.013]: <- x-amz-id-2: 0QFzjkjZK9THYRVA982qYvqeZrx767beNSUSSEMq6fAltAREQj5FKJTMdAO8sDzgCHT/mwMwGfIfPvZgSysnhlDjIg3Hn2lV
DEBUG [2025-02-17 12:18:21.014]: <- Content-Type: application/xml
DEBUG [2025-02-17 12:18:21.014]: <- Transfer-Encoding: chunked
DEBUG [2025-02-17 12:18:21.015]: <- Date: Mon, 17 Feb 2025 12:18:20 GMT
DEBUG [2025-02-17 12:18:21.015]: <- Connection: close
DEBUG [2025-02-17 12:18:21.016]: <- Server: AmazonS3
DEBUG [2025-02-17 12:18:21.016]: <- 
DEBUG [2025-02-17 12:18:21.019]: S3 client configured for region us-east-1 but the bucket paws-region is in region eu-west-3; Please configure the proper region to avoid multiple unnecessary redirects and signing attempts.
DEBUG [2025-02-17 12:18:21.164]: -> HEAD / HTTP/1.1
-> Host: paws-region.s3.eu-west-3.amazonaws.com
-> Accept: */*
-> Accept-Encoding: deflate, gzip
-> User-Agent: paws/0.8.1.9000 (R4.4.2; darwin20; aarch64)
-> Content-Length: 0
-> X-Amz-Date: 20250217T121821Z
-> X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
-> Authorization: AWS4-HMAC-SHA256 Credential=dummy/20250217/eu-west-3/s3/aws4_request, SignedHeaders=content-length;host;x-amz-content-sha256;x-amz-date, Signature=59524fb703b500a5f1e9f0278a545f0063104d15e660c9033987cf25df439d67
-> 
DEBUG [2025-02-17 12:18:21.205]: <- HTTP/1.1 200 OK
DEBUG [2025-02-17 12:18:21.205]: <- x-amz-id-2: YkcnWBGUmWdagppl1v0C4/jm0kbX9TWHqCxtZjSM0ZsMas1ShB5Ui8/YqlwmMHt5ZY7etbvvmhk=
DEBUG [2025-02-17 12:18:21.206]: <- x-amz-request-id: GHC4DX4RW7R596PG
DEBUG [2025-02-17 12:18:21.206]: <- Date: Mon, 17 Feb 2025 12:18:22 GMT
DEBUG [2025-02-17 12:18:21.206]: <- x-amz-bucket-region: eu-west-3
DEBUG [2025-02-17 12:18:21.206]: <- x-amz-access-point-alias: false
DEBUG [2025-02-17 12:18:21.206]: <- Content-Type: application/xml
DEBUG [2025-02-17 12:18:21.206]: <- Transfer-Encoding: chunked
DEBUG [2025-02-17 12:18:21.206]: <- Server: AmazonS3
DEBUG [2025-02-17 12:18:21.207]: <- 
DEBUG [2025-02-17 12:18:21.208]: S3 request was previously redirected, not redirecting.
DEBUG [2025-02-17 12:18:21.208]: S3 client configured for region us-east-1 but the bucket paws-region is in region eu-west-3; Please configure the proper region to avoid multiple unnecessary redirects and signing attempts.
DEBUG [2025-02-17 12:18:21.219]: -> HEAD /to/some/file/xyz.txt HTTP/1.1
-> Host: paws-region.s3.eu-west-3.amazonaws.com
-> Accept: */*
-> Accept-Encoding: deflate, gzip
-> User-Agent: paws/0.8.1.9000 (R4.4.2; darwin20; aarch64)
-> Content-Length: 0
-> X-Amz-Date: 20250217T121821Z
-> X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
-> Authorization: AWS4-HMAC-SHA256 Credential=dummy/20250217/eu-west-3/s3/aws4_request, SignedHeaders=content-length;host;x-amz-content-sha256;x-amz-date, Signature=8e3556d64e55bb0b51db6209520395f06641a0ea5d66219249914cfd9b2e0f4f
-> 
DEBUG [2025-02-17 12:18:21.257]: <- HTTP/1.1 200 OK
DEBUG [2025-02-17 12:18:21.257]: <- x-amz-id-2: l1LvsxtIsSMKF7MTwMuVneD4UWOkWV91v26QNO3WBeUAQIOmd0mX5rldLWUzmoCA7AnqrKSOW64=
DEBUG [2025-02-17 12:18:21.257]: <- x-amz-request-id: GHCA5SA46QTW7ZEY
DEBUG [2025-02-17 12:18:21.257]: <- Date: Mon, 17 Feb 2025 12:18:22 GMT
DEBUG [2025-02-17 12:18:21.258]: <- Last-Modified: Thu, 13 Feb 2025 09:23:05 GMT
DEBUG [2025-02-17 12:18:21.258]: <- ETag: "31bfb9730ae51af73953ba720c8660d7"
DEBUG [2025-02-17 12:18:21.258]: <- x-amz-server-side-encryption: AES256
DEBUG [2025-02-17 12:18:21.258]: <- Accept-Ranges: bytes
DEBUG [2025-02-17 12:18:21.258]: <- Content-Type: binary/octet-stream
DEBUG [2025-02-17 12:18:21.259]: <- Content-Length: 10
DEBUG [2025-02-17 12:18:21.259]: <- Server: AmazonS3
DEBUG [2025-02-17 12:18:21.259]: <- 
DEBUG [2025-02-17 12:18:21.260]: S3 request was previously redirected, not redirecting.

paws.common: 0.7.7:

options(paws.log_level = 3)
library(paws.storage)

sso_profile <- "paws"
bucket <- "paws-region"

client <- s3(config(credentials(profile = sso_profile)))

resp <- client$head_object(Bucket = bucket, Key = "to/some/file/xyz.txt")
INFO [2025-02-17 12:22:08.580]: -> HEAD /to/some/file/xyz.txt HTTP/1.1
-> Host: paws-region.s3.amazonaws.com
-> Accept-Encoding: deflate, gzip
-> Accept: application/json, text/xml, application/xml, */*
  -> User-Agent: paws/0.7.7 (R4.4.2; darwin20; aarch64)
-> Content-Length: 0
-> X-Amz-Date: 20250217T122208Z
-> X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
-> Authorization: AWS4-HMAC-SHA256 Credential=DUMMY/20250217/us-east-1/s3/aws4_request, SignedHeaders=content-length;host;x-amz-content-sha256;x-amz-date, Signature=0c962b0165c3661eca3eed15a72a5457d89323a26fab849f390b6c26cf6af902
-> 
INFO [2025-02-17 12:22:08.611]: <- HTTP/1.1 400 Bad Request
INFO [2025-02-17 12:22:08.611]: <- x-amz-request-id: VVQAAWHEJTVA7G03
INFO [2025-02-17 12:22:08.611]: <- x-amz-id-2: Y18R5Zp53ndGN4uT2c8RkP3yXERYyv9wezpaKN0F0Lw0cCSPvakW8JmgGPgeO483J1iPKmSXAJ8=
INFO [2025-02-17 12:22:08.611]: <- Content-Type: application/xml
INFO [2025-02-17 12:22:08.612]: <- Transfer-Encoding: chunked
INFO [2025-02-17 12:22:08.612]: <- Date: Mon, 17 Feb 2025 12:22:08 GMT
INFO [2025-02-17 12:22:08.612]: <- Connection: close
INFO [2025-02-17 12:22:08.612]: <- Server: AmazonS3
INFO [2025-02-17 12:22:08.612]: <- 
INFO [2025-02-17 12:22:08.687]: -> HEAD / HTTP/1.1
-> Host: paws-region.s3.amazonaws.com
-> Accept-Encoding: deflate, gzip
-> Accept: application/json, text/xml, application/xml, */*
-> User-Agent: paws/0.7.7 (R4.4.2; darwin20; aarch64)
-> Content-Length: 0
-> X-Amz-Date: 20250217T122208Z
-> X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
-> Authorization: AWS4-HMAC-SHA256 Credential=DUMMY/20250217/us-east-1/s3/aws4_request, SignedHeaders=content-length;host;x-amz-content-sha256;x-amz-date, Signature=00b001352fbddf8dfe87478baf7c2899922e3467be73ec2a833b599f389593ef
-> 
INFO [2025-02-17 12:22:08.726]: <- HTTP/1.1 400 Bad Request
INFO [2025-02-17 12:22:08.726]: <- x-amz-bucket-region: eu-west-3
INFO [2025-02-17 12:22:08.726]: <- x-amz-request-id: VVQF1M8E7YN83R6W
INFO [2025-02-17 12:22:08.726]: <- x-amz-id-2: 3+qFxDdNBFKe5YenOPKhqKQV3Czl8Qx1fQKXLv6JsX7PBQ2Yr/JPIsnXrhwvv0ZmIKSk+0BAngo=
INFO [2025-02-17 12:22:08.726]: <- Content-Type: application/xml
INFO [2025-02-17 12:22:08.727]: <- Transfer-Encoding: chunked
INFO [2025-02-17 12:22:08.727]: <- Date: Mon, 17 Feb 2025 12:22:07 GMT
INFO [2025-02-17 12:22:08.727]: <- Connection: close
INFO [2025-02-17 12:22:08.727]: <- Server: AmazonS3
INFO [2025-02-17 12:22:08.727]: <- 
INFO [2025-02-17 12:22:08.800]: -> HEAD / HTTP/1.1
-> Host: paws-region.s3.eu-west-3.amazonaws.com
-> Accept-Encoding: deflate, gzip
-> Accept: application/json, text/xml, application/xml, */*
-> User-Agent: paws/0.7.7 (R4.4.2; darwin20; aarch64)
-> Content-Length: 0
-> X-Amz-Date: 20250217T122208Z
-> X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
-> Authorization: AWS4-HMAC-SHA256 Credential=DUMMY/20250217/eu-west-3/s3/aws4_request, SignedHeaders=content-length;host;x-amz-content-sha256;x-amz-date, Signature=81bf6e7db77b9789f7d936821d8863ab9ed2b1cd339f52ee3b3aa591162dc721
-> 
INFO [2025-02-17 12:22:08.844]: <- HTTP/1.1 200 OK
INFO [2025-02-17 12:22:08.844]: <- x-amz-id-2: L4rNdqKGyQlJqdLhsb7lHUUlG4MHnqN5tmehIeIevQHOlyt46rB1VzE/XLJ36OYDsQ36/RbaajPjXRP9C0Y4ojRZxT5B9roS
INFO [2025-02-17 12:22:08.872]: <- x-amz-request-id: VVQ8NFSHNZYD5XEH
INFO [2025-02-17 12:22:08.873]: <- Date: Mon, 17 Feb 2025 12:22:09 GMT
INFO [2025-02-17 12:22:08.873]: <- x-amz-bucket-region: eu-west-3
INFO [2025-02-17 12:22:08.873]: <- x-amz-access-point-alias: false
INFO [2025-02-17 12:22:08.873]: <- Content-Type: application/xml
INFO [2025-02-17 12:22:08.873]: <- Transfer-Encoding: chunked
INFO [2025-02-17 12:22:08.873]: <- Server: AmazonS3
INFO [2025-02-17 12:22:08.873]: <- 
INFO [2025-02-17 12:22:08.883]: -> HEAD /to/some/file/xyz.txt HTTP/1.1
-> Host: paws-region.s3.eu-west-3.amazonaws.com
-> Accept-Encoding: deflate, gzip
-> Accept: application/json, text/xml, application/xml, */*
-> User-Agent: paws/0.7.7 (R4.4.2; darwin20; aarch64)
-> Content-Length: 0
-> X-Amz-Date: 20250217T122208Z
-> X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
-> Authorization: AWS4-HMAC-SHA256 Credential=DUMMY/20250217/eu-west-3/s3/aws4_request, SignedHeaders=content-length;host;x-amz-content-sha256;x-amz-date, Signature=de6ccde445fc512c833d1cef570cbd0c9f10a2963db538c41ec477a89a9cbdf5
-> 
INFO [2025-02-17 12:22:08.942]: <- HTTP/1.1 200 OK
INFO [2025-02-17 12:22:08.942]: <- x-amz-id-2: PkbsA7hhm2QmtGFfSKFt19Pq10ETzn76OfmNkBR+ynefqkBd9AEJ6JTIhipaSGcSlUSpWZPAT3+r5B6cxq58bFhU2dbspsEQ
INFO [2025-02-17 12:22:08.943]: <- x-amz-request-id: VVQF1TGMZP959JVK
INFO [2025-02-17 12:22:08.943]: <- Date: Mon, 17 Feb 2025 12:22:09 GMT
INFO [2025-02-17 12:22:08.943]: <- Last-Modified: Thu, 13 Feb 2025 09:23:05 GMT
INFO [2025-02-17 12:22:08.943]: <- ETag: "31bfb9730ae51af73953ba720c8660d7"
INFO [2025-02-17 12:22:08.943]: <- x-amz-server-side-encryption: AES256
INFO [2025-02-17 12:22:08.943]: <- Accept-Ranges: bytes
INFO [2025-02-17 12:22:08.943]: <- Content-Type: binary/octet-stream
INFO [2025-02-17 12:22:08.943]: <- Content-Length: 10
INFO [2025-02-17 12:22:08.943]: <- Server: AmazonS3
INFO [2025-02-17 12:22:08.943]: <-

@DyfanJones
Copy link
Member

Note: logs from the request to aws have been moved to DEBUG level in paws.common 0.8.0 this was to prevent the INFO log level being saturated.

@jwijffels
Copy link
Author

jwijffels commented Feb 17, 2025
edited
Loading 

options(paws.log_level = 3)
library(paws.storage)
client <- s3(config(credentials()))
resp <- client$head_object(Bucket = "mybucket", Key = "to/some/file/xyz.txt")

I'm seeing with 0.7.7

-> Host: mybucket.eu-west-3.amazonaws.com
-> Accept-Encoding: deflate, gzip, br, zstd
-> Accept: application/json, text/xml, application/xml, */*
-> User-Agent: paws/0.7.7 (R4.4.2; linux-gnu; x86_64)
-> Content-Length: 0
-> X-Amz-Security-Token: sequence of 1068letters/numbers

... Some more security related elements
INFO [2025-02-17 14:09:03.811]: <- HTTP/1.1 200 OK
INFO [2025-02-17 14:09:03.811]: <- ----------
INFO [2025-02-17 14:09:03.811]: <- ----------
INFO [2025-02-17 14:09:03.811]: <- Date: Mon, 17 Feb 2025 13:09:04 GMT
INFO [2025-02-17 14:09:03.811]: <- Last-Modified: Sun, 16 Feb 2025 20:58:09 GMT
INFO [2025-02-17 14:09:03.811]: <- x-amz-expiration: expiry-date="Wed, 19 Mar 2025 00:00:00 GMT", rule-id="Expire-30-days-and-NonCurrent-1-day"
INFO [2025-02-17 14:09:03.811]: <- ----------
INFO [2025-02-17 14:09:03.811]: <- x-amz-server-side-encryption: aws:kms
INFO [2025-02-17 14:09:03.811]: <- x-amz-server-side-encryption-aws-kms-key-id: ----------
INFO [2025-02-17 14:09:03.811]: <- x-amz-server-side-encryption-bucket-key-enabled: true
INFO [2025-02-17 14:09:03.811]: <- x-amz-version-id: ----------
INFO [2025-02-17 14:09:03.811]: <- Accept-Ranges: bytes
INFO [2025-02-17 14:09:03.811]: <- Content-Type: binary/octet-stream
INFO [2025-02-17 14:09:03.811]: <- Content-Length: 202
INFO [2025-02-17 14:09:03.811]: <- Server: AmazonS3

On paws.commons 0.8.1 I see

-> Host: mybucket.eu-west-3.amazonaws.com
-> Accept: */*
-> Accept-Encoding: deflate, gzip, br, zstd
-> User-Agent: paws/0.8.1 (R4.4.2; linux-gnu; x86_64)
-> Content-Length: 0
-> X-Amz-Security-Token: sequence of 235letters/numbers

... Some more security related elements

-> 
TRACE [2025-02-17 14:11:26.556]: *  TLSv1.2 (IN), TLS header, Supplemental data (23):
TRACE [2025-02-17 14:11:26.556]: *  Mark bundle as not supporting multiuse
DEBUG [2025-02-17 14:11:26.556]: <- HTTP/1.1 400 Bad Request

@DyfanJones
Copy link
Member

With the paws.common 0.7.7 does it do a redirect? In my example above paws does a redirect. I wonder if it is failing in the redirect 🤔

Initially it does a Bad Request due to the wrong region getting signed it then will do a redirect getting the region details from the initial Bad Request

@jwijffels
Copy link
Author

jwijffels commented Feb 17, 2025
edited
Loading

This is the 0.8.1 where I replaced my bucket to mybucket and the key

> resp <- client$head_object(Bucket = "mybucket", Key = "to/some/file/xyz.txt")
TRACE [2025-02-17 14:11:26.498]: *  Hostname mybucket.eu-west-3.amazonaws.com was found in DNS cache
TRACE [2025-02-17 14:11:26.499]: *    Trying 52.95.155.102:443...
TRACE [2025-02-17 14:11:26.500]: *  Connected to mybucket.s3.eu-west-3.amazonaws.com (52.95.155.102) port 443 (#6)
TRACE [2025-02-17 14:11:26.500]: *  ALPN, offering h2
TRACE [2025-02-17 14:11:26.500]: *  ALPN, offering http/1.1
TRACE [2025-02-17 14:11:26.545]: *   CAfile: /etc/ssl/certs/ca-certificates.crt
TRACE [2025-02-17 14:11:26.545]: *   CApath: /etc/ssl/certs
TRACE [2025-02-17 14:11:26.545]: *  TLSv1.0 (OUT), TLS header, Certificate Status (22):
TRACE [2025-02-17 14:11:26.545]: *  TLSv1.3 (OUT), TLS handshake, Client hello (1):
TRACE [2025-02-17 14:11:26.546]: *  TLSv1.2 (IN), TLS header, Certificate Status (22):
TRACE [2025-02-17 14:11:26.546]: *  TLSv1.3 (IN), TLS handshake, Server hello (2):
TRACE [2025-02-17 14:11:26.547]: *  TLSv1.2 (IN), TLS header, Finished (20):
TRACE [2025-02-17 14:11:26.547]: *  TLSv1.2 (IN), TLS header, Supplemental data (23):
TRACE [2025-02-17 14:11:26.547]: *  TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
TRACE [2025-02-17 14:11:26.547]: *  TLSv1.2 (IN), TLS header, Supplemental data (23):
TRACE [2025-02-17 14:11:26.547]: *  TLSv1.3 (IN), TLS handshake, Certificate (11):
TRACE [2025-02-17 14:11:26.549]: *  TLSv1.2 (IN), TLS header, Supplemental data (23):
TRACE [2025-02-17 14:11:26.549]: *  TLSv1.3 (IN), TLS handshake, CERT verify (15):
TRACE [2025-02-17 14:11:26.549]: *  TLSv1.2 (IN), TLS header, Supplemental data (23):
TRACE [2025-02-17 14:11:26.549]: *  TLSv1.3 (IN), TLS handshake, Finished (20):
TRACE [2025-02-17 14:11:26.549]: *  TLSv1.2 (OUT), TLS header, Finished (20):
TRACE [2025-02-17 14:11:26.549]: *  TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
TRACE [2025-02-17 14:11:26.549]: *  TLSv1.2 (OUT), TLS header, Supplemental data (23):
TRACE [2025-02-17 14:11:26.549]: *  TLSv1.3 (OUT), TLS handshake, Finished (20):
TRACE [2025-02-17 14:11:26.550]: *  SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
TRACE [2025-02-17 14:11:26.550]: *  ALPN, server accepted to use http/1.1
TRACE [2025-02-17 14:11:26.550]: *  Server certificate:
TRACE [2025-02-17 14:11:26.550]: *   subject: CN=*.s3.eu-west-3.amazonaws.com
TRACE [2025-02-17 14:11:26.550]: *   start date: Jan 17 00:00:00 2025 GMT
TRACE [2025-02-17 14:11:26.550]: *   expire date: Jan  6 23:59:59 2026 GMT
TRACE [2025-02-17 14:11:26.550]: *   subjectAltName: host "mybucket.s3.eu-west-3.amazonaws.com" matched cert's "*.s3.eu-west-3.amazonaws.com"
TRACE [2025-02-17 14:11:26.550]: *   issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M01
TRACE [2025-02-17 14:11:26.550]: *   SSL certificate verify ok.
TRACE [2025-02-17 14:11:26.550]: *  TLSv1.2 (OUT), TLS header, Supplemental data (23):
DEBUG [2025-02-17 14:11:26.551]: -> HEAD /to/some/file/xyz.txt HTTP/1.1

This is the 0.7.0 where I replaced my bucket to mybucket and the key

library(s3fs)
library(paws.storage)
options(paws.log_level = 5)
client <- s3(config(credentials()))
resp <- client$head_object(Bucket = "mybucket", Key = "to/some/file/xyz.txt")
DEBUG [2025-02-17 15:00:50.351]: *    Trying 3.5.224.150:443...
DEBUG [2025-02-17 15:00:50.353]: *  Connected to mybucket.s3.eu-west-3.amazonaws.com (3.5.224.150) port 443 (#0)
DEBUG [2025-02-17 15:00:50.355]: *  ALPN, offering h2
DEBUG [2025-02-17 15:00:50.355]: *  ALPN, offering http/1.1
DEBUG [2025-02-17 15:00:50.397]: *   CAfile: /etc/ssl/certs/ca-certificates.crt
DEBUG [2025-02-17 15:00:50.397]: *   CApath: /etc/ssl/certs
DEBUG [2025-02-17 15:00:50.397]: *  TLSv1.0 (OUT), TLS header, Certificate Status (22):
DEBUG [2025-02-17 15:00:50.397]: *  TLSv1.3 (OUT), TLS handshake, Client hello (1):
DEBUG [2025-02-17 15:00:50.399]: *  TLSv1.2 (IN), TLS header, Certificate Status (22):
DEBUG [2025-02-17 15:00:50.399]: *  TLSv1.3 (IN), TLS handshake, Server hello (2):
DEBUG [2025-02-17 15:00:50.399]: *  TLSv1.2 (IN), TLS header, Finished (20):
DEBUG [2025-02-17 15:00:50.399]: *  TLSv1.2 (IN), TLS header, Supplemental data (23):
DEBUG [2025-02-17 15:00:50.399]: *  TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
DEBUG [2025-02-17 15:00:50.399]: *  TLSv1.2 (IN), TLS header, Supplemental data (23):
DEBUG [2025-02-17 15:00:50.399]: *  TLSv1.3 (IN), TLS handshake, Certificate (11):
DEBUG [2025-02-17 15:00:50.402]: *  TLSv1.2 (IN), TLS header, Supplemental data (23):
DEBUG [2025-02-17 15:00:50.402]: *  TLSv1.3 (IN), TLS handshake, CERT verify (15):
DEBUG [2025-02-17 15:00:50.403]: *  TLSv1.2 (IN), TLS header, Supplemental data (23):
DEBUG [2025-02-17 15:00:50.403]: *  TLSv1.3 (IN), TLS handshake, Finished (20):
DEBUG [2025-02-17 15:00:50.403]: *  TLSv1.2 (OUT), TLS header, Finished (20):
DEBUG [2025-02-17 15:00:50.403]: *  TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
DEBUG [2025-02-17 15:00:50.403]: *  TLSv1.2 (OUT), TLS header, Supplemental data (23):
DEBUG [2025-02-17 15:00:50.403]: *  TLSv1.3 (OUT), TLS handshake, Finished (20):
DEBUG [2025-02-17 15:00:50.403]: *  SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
DEBUG [2025-02-17 15:00:50.403]: *  ALPN, server accepted to use http/1.1
DEBUG [2025-02-17 15:00:50.403]: *  Server certificate:
DEBUG [2025-02-17 15:00:50.403]: *   subject: CN=*.s3.eu-west-3.amazonaws.com
DEBUG [2025-02-17 15:00:50.403]: *   start date: Jan 17 00:00:00 2025 GMT
DEBUG [2025-02-17 15:00:50.403]: *   expire date: Jan  6 23:59:59 2026 GMT
DEBUG [2025-02-17 15:00:50.403]: *   subjectAltName: host "mybucket.s3.eu-west-3.amazonaws.com" matched cert's "*.s3.eu-west-3.amazonaws.com"
DEBUG [2025-02-17 15:00:50.403]: *   issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M01
DEBUG [2025-02-17 15:00:50.404]: *   SSL certificate verify ok.
DEBUG [2025-02-17 15:00:50.404]: *  TLSv1.2 (OUT), TLS header, Supplemental data (23):
INFO [2025-02-17 15:00:50.404]: -> HEAD /to/some/file/xyz.txt HTTP/1.1

@DyfanJones
Copy link
Member

if you set options(paws.log_level = 4) for paws.common 0.8.1 that should remove the trace level. Currently the DNS cache and that shouldn't be needed.

@jwijffels
Copy link
Author

jwijffels commented Feb 17, 2025
edited
Loading

This is 0.7.0 where I replaced my bucket to mybucket and the key

library(s3fs)
library(paws.storage)
options(paws.log_level = 4)
client <- s3(config(credentials()))
resp <- client$head_object(Bucket = "mybucket", Key = "to/some/file/xyz.txt")

DEBUG [2025-02-17 15:07:17.006]: *    Trying 16.12.19.22:443...
DEBUG [2025-02-17 15:07:17.008]: *  Connected to mybucket.s3.eu-west-3.amazonaws.com (16.12.19.22) port 443 (#0)
DEBUG [2025-02-17 15:07:17.010]: *  ALPN, offering h2
DEBUG [2025-02-17 15:07:17.010]: *  ALPN, offering http/1.1
DEBUG [2025-02-17 15:07:17.052]: *   CAfile: /etc/ssl/certs/ca-certificates.crt
DEBUG [2025-02-17 15:07:17.052]: *   CApath: /etc/ssl/certs
DEBUG [2025-02-17 15:07:17.052]: *  TLSv1.0 (OUT), TLS header, Certificate Status (22):
DEBUG [2025-02-17 15:07:17.052]: *  TLSv1.3 (OUT), TLS handshake, Client hello (1):
DEBUG [2025-02-17 15:07:17.053]: *  TLSv1.2 (IN), TLS header, Certificate Status (22):
DEBUG [2025-02-17 15:07:17.053]: *  TLSv1.3 (IN), TLS handshake, Server hello (2):
DEBUG [2025-02-17 15:07:17.053]: *  TLSv1.2 (IN), TLS header, Finished (20):
DEBUG [2025-02-17 15:07:17.054]: *  TLSv1.2 (IN), TLS header, Supplemental data (23):
DEBUG [2025-02-17 15:07:17.054]: *  TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
DEBUG [2025-02-17 15:07:17.054]: *  TLSv1.2 (IN), TLS header, Supplemental data (23):
DEBUG [2025-02-17 15:07:17.054]: *  TLSv1.3 (IN), TLS handshake, Certificate (11):
DEBUG [2025-02-17 15:07:17.055]: *  TLSv1.2 (IN), TLS header, Supplemental data (23):
DEBUG [2025-02-17 15:07:17.055]: *  TLSv1.3 (IN), TLS handshake, CERT verify (15):
DEBUG [2025-02-17 15:07:17.055]: *  TLSv1.2 (IN), TLS header, Supplemental data (23):
DEBUG [2025-02-17 15:07:17.056]: *  TLSv1.3 (IN), TLS handshake, Finished (20):
DEBUG [2025-02-17 15:07:17.056]: *  TLSv1.2 (OUT), TLS header, Finished (20):
DEBUG [2025-02-17 15:07:17.056]: *  TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
DEBUG [2025-02-17 15:07:17.056]: *  TLSv1.2 (OUT), TLS header, Supplemental data (23):
DEBUG [2025-02-17 15:07:17.056]: *  TLSv1.3 (OUT), TLS handshake, Finished (20):
DEBUG [2025-02-17 15:07:17.056]: *  SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
DEBUG [2025-02-17 15:07:17.056]: *  ALPN, server accepted to use http/1.1
DEBUG [2025-02-17 15:07:17.056]: *  Server certificate:
DEBUG [2025-02-17 15:07:17.056]: *   subject: CN=*.s3.eu-west-3.amazonaws.com
DEBUG [2025-02-17 15:07:17.056]: *   start date: Jan 17 00:00:00 2025 GMT
DEBUG [2025-02-17 15:07:17.056]: *   expire date: Jan  6 23:59:59 2026 GMT
DEBUG [2025-02-17 15:07:17.056]: *   subjectAltName: host "mybucket.s3.eu-west-3.amazonaws.com" matched cert's "*.s3.eu-west-3.amazonaws.com"
DEBUG [2025-02-17 15:07:17.056]: *   issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M01
DEBUG [2025-02-17 15:07:17.056]: *   SSL certificate verify ok.
DEBUG [2025-02-17 15:07:17.057]: *  TLSv1.2 (OUT), TLS header, Supplemental data (23):
INFO [2025-02-17 15:07:17.057]: -> HEAD /to/some/file/xyz.txt HTTP/1.1
-> Host: mybucket.s3.eu-west-3.amazonaws.com
-> Accept-Encoding: deflate, gzip, br, zstd
-> Accept: application/json, text/xml, application/xml, */*
-> User-Agent: paws/0.7.7 (R4.4.2; linux-gnu; x86_64)
-> Content-Length: 0
-> X-Amz-Security-Token: -----------------------------------
-> X-Amz-Date: 20250217T140716Z
-> X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
-> Authorization: AWS4-HMAC-SHA256 Credential=-----------------------------------/20250217/eu-west-3/s3/aws4_request, SignedHeaders=content-length;host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=-----------------------------------
-> 
DEBUG [2025-02-17 15:07:17.131]: *  TLSv1.2 (IN), TLS header, Supplemental data (23):
DEBUG [2025-02-17 15:07:17.131]: *  Mark bundle as not supporting multiuse
INFO [2025-02-17 15:07:17.131]: <- HTTP/1.1 200 OK
INFO [2025-02-17 15:07:17.131]: <- x-amz-id-2: -----------------------------------
INFO [2025-02-17 15:07:17.131]: <- x-amz-request-id: -----------------------------------
INFO [2025-02-17 15:07:17.131]: <- Date: Mon, 17 Feb 2025 14:07:18 GMT
INFO [2025-02-17 15:07:17.132]: <- Last-Modified: Sun, 16 Feb 2025 20:58:09 GMT
INFO [2025-02-17 15:07:17.132]: <- x-amz-expiration: expiry-date="Wed, 19 Mar 2025 00:00:00 GMT", rule-id="Expire-30-days-and-NonCurrent-1-day"
INFO [2025-02-17 15:07:17.132]: <- ETag: -----------------------------------
INFO [2025-02-17 15:07:17.132]: <- x-amz-server-side-encryption: aws:kms
INFO [2025-02-17 15:07:17.132]: <- x-amz-server-side-encryption-aws-kms-key-id: -----------------------------------
INFO [2025-02-17 15:07:17.132]: <- x-amz-server-side-encryption-bucket-key-enabled: true
INFO [2025-02-17 15:07:17.132]: <- x-amz-version-id: -----------------------------------
INFO [2025-02-17 15:07:17.132]: <- Accept-Ranges: bytes
INFO [2025-02-17 15:07:17.132]: <- Content-Type: binary/octet-stream
INFO [2025-02-17 15:07:17.132]: <- Content-Length: 202
INFO [2025-02-17 15:07:17.132]: <- Server: AmazonS3
INFO [2025-02-17 15:07:17.132]: <- 
DEBUG [2025-02-17 15:07:17.132]: *  Connection #0 to host mybucket.s3.eu-west-3.amazonaws.com left intact

This is 0.8.0
It does mention: S3 client configured for region eu-west-3 but the bucket mybucket is in region eu-west-3; Please configure the proper region to avoid multiple unnecessary redirects and signing attempts.

library(s3fs)
library(paws.storage)
options(paws.log_level = 4)
client <- s3(config(credentials()))
resp <- client$head_object(Bucket = "mybucket", Key = "to/some/file/xyz.txt")

DEBUG [2025-02-17 15:11:21.005]: -> HEAD /to/some/file/xyz.txt HTTP/1.1
-> Host: mybucket.s3.eu-west-3.amazonaws.com
-> Accept: */*
-> Accept-Encoding: deflate, gzip, br, zstd
-> User-Agent: paws/0.8.1 (R4.4.2; linux-gnu; x86_64)
-> Content-Length: 0
-> X-Amz-Security-Token: -----------------------------------
-> X-Amz-Date: 20250217T141120Z
-> X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
-> Authorization: AWS4-HMAC-SHA256 Credential=-----------------------------------/20250217/eu-west-3/s3/aws4_request, SignedHeaders=content-length;host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=-----------------------------------
-> 
DEBUG [2025-02-17 15:11:21.011]: <- HTTP/1.1 400 Bad Request
DEBUG [2025-02-17 15:11:21.011]: <- x-amz-request-id: -----------------------------------
DEBUG [2025-02-17 15:11:21.011]: <- x-amz-id-2: -----------------------------------
DEBUG [2025-02-17 15:11:21.011]: <- Content-Type: application/xml
DEBUG [2025-02-17 15:11:21.011]: <- Transfer-Encoding: chunked
DEBUG [2025-02-17 15:11:21.011]: <- Date: Mon, 17 Feb 2025 14:11:20 GMT
DEBUG [2025-02-17 15:11:21.012]: <- Connection: close
DEBUG [2025-02-17 15:11:21.012]: <- Server: AmazonS3
DEBUG [2025-02-17 15:11:21.012]: <- 
DEBUG [2025-02-17 15:11:21.078]: -> HEAD / HTTP/1.1
-> Host: mybucket.s3.eu-west-3.amazonaws.com
-> Accept: */*
-> Accept-Encoding: deflate, gzip, br, zstd
-> User-Agent: paws/0.8.1 (R4.4.2; linux-gnu; x86_64)
-> Content-Length: 0
-> X-Amz-Security-Token: -----------------------------------
-> X-Amz-Date: 20250217T141121Z
-> X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
-> Authorization: AWS4-HMAC-SHA256 Credential=-----------------------------------/20250217/eu-west-3/s3/aws4_request, SignedHeaders=content-length;host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=-----------------------------------
-> 
DEBUG [2025-02-17 15:11:21.084]: <- HTTP/1.1 400 Bad Request
DEBUG [2025-02-17 15:11:21.084]: <- x-amz-bucket-region: eu-west-3
DEBUG [2025-02-17 15:11:21.084]: <- x-amz-request-id: -----------------------------------
DEBUG [2025-02-17 15:11:21.084]: <- x-amz-id-2: -----------------------------------
DEBUG [2025-02-17 15:11:21.084]: <- Content-Type: application/xml
DEBUG [2025-02-17 15:11:21.084]: <- Transfer-Encoding: chunked
DEBUG [2025-02-17 15:11:21.085]: <- Date: Mon, 17 Feb 2025 14:11:20 GMT
DEBUG [2025-02-17 15:11:21.085]: <- Connection: close
DEBUG [2025-02-17 15:11:21.085]: <- Server: AmazonS3
DEBUG [2025-02-17 15:11:21.085]: <- 
DEBUG [2025-02-17 15:11:21.087]: S3 client configured for region eu-west-3 but the bucket mybucket is in region eu-west-3; Please configure the proper region to avoid multiple unnecessary redirects and signing attempts.
DEBUG [2025-02-17 15:11:21.156]: -> HEAD / HTTP/1.1
-> Host: mybucket.s3.eu-west-3.amazonaws.com
-> Accept: */*
-> Accept-Encoding: deflate, gzip, br, zstd
-> User-Agent: paws/0.8.1 (R4.4.2; linux-gnu; x86_64)
-> Content-Length: 0
-> X-Amz-Security-Token: -----------------------------------
-> X-Amz-Date: 20250217T141121Z
-> X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
-> Authorization: AWS4-HMAC-SHA256 Credential=-----------------------------------/20250217/eu-west-3/s3/aws4_request, SignedHeaders=content-length;host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=-----------------------------------
-> 
DEBUG [2025-02-17 15:11:21.163]: <- HTTP/1.1 400 Bad Request
DEBUG [2025-02-17 15:11:21.163]: <- x-amz-bucket-region: eu-west-3
DEBUG [2025-02-17 15:11:21.163]: <- x-amz-request-id: -----------------------------------
DEBUG [2025-02-17 15:11:21.163]: <- x-amz-id-2: -----------------------------------
DEBUG [2025-02-17 15:11:21.163]: <- Content-Type: application/xml
DEBUG [2025-02-17 15:11:21.163]: <- Transfer-Encoding: chunked
DEBUG [2025-02-17 15:11:21.163]: <- Date: Mon, 17 Feb 2025 14:11:20 GMT
DEBUG [2025-02-17 15:11:21.163]: <- Connection: close
DEBUG [2025-02-17 15:11:21.163]: <- Server: AmazonS3
DEBUG [2025-02-17 15:11:21.164]: <- 
DEBUG [2025-02-17 15:11:21.166]: S3 request was previously redirected, not redirecting.
Error: SerializationError (HTTP 400). An error occurred when calling the HeadBucket operation: Bad Request

The X-Amz-Security-Token are different between the 2 versions.

@DyfanJones
Copy link
Member

I wouldn't expect X-Amz-Security-Token to be the same with each session. Paws does an sso call to get an assumed role for each session. So I would expect different X-Amz-Security-Token for each R session of paws.common 0.7.7

@DyfanJones
Copy link
Member

What happens when you have paws.storage 0.7.0 and paws.common 0.8.0? I am wondering if it is the endpoints that is causing this 🤔. As there is no redirect in 0.7.7 paws.common

@DyfanJones
Copy link
Member

This is a very odd logging message:

DEBUG [2025-02-17 15:11:21.087]: S3 client configured for region eu-west-3 but the bucket mybucket is in region eu-west-3; Please configure the proper region to avoid multiple unnecessary redirects and signing attempts.

@jwijffels
Copy link
Author

I wouldn't expect X-Amz-Security-Token to be the same with each session. Paws does an sso call to get an assumed role for each session. So I would expect different X-Amz-Security-Token for each R session of paws.common 0.7.7

In 0.8.0 I see for X-Amz-Security-Token a sequence of 235letters/numbers
In 0.7.7 I see for X-Amz-Security-Token a sequence of 1068letters/numbers

@DyfanJones
Copy link
Member

Oh that is interesting. Yes i would expect a similar length for the security token.

@DyfanJones DyfanJones added the bug 🐞 Something isn't working label Feb 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug 🐞 Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jwijffels @DyfanJones