Skip to content
This repository has been archived by the owner on Sep 30, 2024. It is now read-only.

Net::Amazon::S3::Signature::V4 does not support session tokens. #43

Closed
galenhuntington opened this issue Jan 3, 2019 · 11 comments
Closed

Net::Amazon::S3::Signature::V4 does not support session tokens. #43

galenhuntington opened this issue Jan 3, 2019 · 11 comments

Comments

@galenhuntington
Copy link

They appear to never be included in the request, which means that (e.g.) use_iam_role requests always fail with a "forbidden" error whenever V4 is used.

My workaround is to force use of V2 for all requests. Maybe until this is fixed that should be done throughout Net::Amazon::S3, as the current configuration breaks any workflow that requires security tokens.
@branislav-zahradnik-gdc
Copy link

Thank you for report.

Fixing this may take a while :-( To be honest I have no idea how these security tokens work so lot of googling / reading ahead.

@ranguard
Copy link
Collaborator

ranguard commented Jan 3, 2019

Hi @galenhuntington maybe try using https://metacpan.org/pod/Paws::S3 ?

@branislav-zahradnik-gdc other than size and interface design (which I like much better), is there any specific advantage this package has over Paws::S3? - should we consider just wrapping it? - just throwing ideas out there.

@ranguard
Copy link
Collaborator

ranguard commented Jan 3, 2019

Oh! not sure https://metacpan.org/pod/Paws::S3 support session tokens either?

@galenhuntington
Copy link
Author

Paws::S3 is not ready for production, or at least it emits this warning:

Paws::S3 is not stable / supported / entirely developed.

See pplu/aws-sdk-perl#244. I don't know if it supports tokens, but I assume it does.

Anyway, Paws has potential, but it does lack object-oriented abstraction. E.g., there is no "bucket object", but rather a bunch of flat API calls each of which includes the bucket name.

As for this project, it seems best to disable V4 until it is fully implemented.

@branislav-zahradnik-gdc
Copy link

@ranguard in long run maybe. For now Paws says not stable, is way too complex, and it doesn't support signed uri operations (minor but crucial)

@ranguard
Copy link
Collaborator

ranguard commented Jan 3, 2019

All good points - thanks thought it was actually further along !

@CWallace-dealersocket
Copy link

Amazon is dropping support for requests using the V2 signature method on June 24th 2019. So in a couple of months, using the workaround by forcing the V2 method will no longer work.

branislav-zahradnik-gdc added a commit to branislav-zahradnik-gdc/net-amazon-s3 that referenced this issue Apr 3, 2019
@branislav-zahradnik-gdc
Use security token if specified in Signature V4 as well (rustyconover#43
a270327 
)

When used with IAM roles security token is mandatory part of authorization
data.
branislav-zahradnik-gdc added a commit to branislav-zahradnik-gdc/net-amazon-s3 that referenced this issue Apr 3, 2019
@branislav-zahradnik-gdc
Use security token if specified in Signature V4 as well
a7b5d73 
When used with IAM roles security token is mandatory part of authorization data.

Fix: rustyconover#43
Merged
branislav-zahradnik-gdc added a commit to branislav-zahradnik-gdc/net-amazon-s3 that referenced this issue Apr 3, 2019
@branislav-zahradnik-gdc
Use security token if specified in Signature V4 as well
5c08f08 
When used with IAM roles security token is mandatory part of authorization data.

Fix: rustyconover#43
@branislav-zahradnik-gdc
Copy link

@galenhuntington Fix created but solely based on documentation. I never used IAM roles before so I'm not sure whether I tested it properly.

@edencrane
Copy link

This fix works for me. Thank you!

branislav-zahradnik-gdc added a commit to branislav-zahradnik-gdc/net-amazon-s3 that referenced this issue Apr 3, 2019
@branislav-zahradnik-gdc
Use session token if specified in Signature V4 as well
21dfecc 
When used with IAM roles session token is part of authorization data.

Fix: rustyconover#43
branislav-zahradnik-gdc added a commit to branislav-zahradnik-gdc/net-amazon-s3 that referenced this issue Apr 3, 2019
@branislav-zahradnik-gdc
Use session token if specified in Signature V4 as well
6acb241 
When used with IAM roles session token is part of authorization data.

Fix: rustyconover#43
branislav-zahradnik-gdc added a commit to branislav-zahradnik-gdc/net-amazon-s3 that referenced this issue Apr 3, 2019
@branislav-zahradnik-gdc
Use session token if specified in Signature V4 as well
5371354 
When used with IAM roles session token is part of authorization data.

Fix: rustyconover#43
@galenhuntington
Copy link
Author

@branislav-zahradnik-gdc it is working for me too. Awesome, thanks!

@ranguard
Copy link
Collaborator

ranguard commented Apr 3, 2019

I'll do a release in next couple of days

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ranguard @edencrane @galenhuntington @branislav-zahradnik-gdc @CWallace-dealersocket