S3 - The authorization header is malformed; the region 'vpce' is wrong;

Question

S3 - The authorization header is malformed; the region 'vpce' is wrong;

grochoge opened this issue a year ago · 5 comments

Describe the bug

I'm running into this via the Jenkins artifact-manager-s3-plugin, but it appears to ultimately coming from the Java SDK based on someone reporting the issue in aws-amplify/aws-sdk-android#3018.

Expected Behavior

S3 client works with VPC interface endpoints

Current Behavior

GET https://BUCKETNAME.bucket.vpce-0123456789abcdef0-tiydc1f7.s3.us-east-1.vpce.amazonaws.com/?delimiter=/&prefix=BUCKETPREFIX/ HTTP/1.1 failed with code 400, error: AWSError{requestId='XPPHVG85015KESAZ', requestToken='REDACTED', code='AuthorizationHeaderMalformed', message='The authorization header is malformed; the region 'vpce' is wrong; expecting 'us-east-1'', context='{Region=us-east-1, HostId=REDACTED}'}

Reproduction Steps

I have not tried yet, but I suspect adding the following test to aws-java-sdk-core/src/test/java/com/amazonaws/regions/EndpointToRegionTest.java should reproduce the issue but have yet to try:

    @Test
    public void guessRegionForHostname_returnsRegionFromS3VPCEndpoint() {
        verifyRegionAndPartitionForHostname("us-east-1", "aws", "bucketname.bucket.vpce-0123456789abcdef0-tiydc1f7.s3.us-east-1.vpce.amazonaws.com");
    }

Possible Solution

Fix region parsing

Additional Information/Context

No response

AWS Java SDK version used

1.12.586

JDK version used

OpenJDK Runtime Environment Temurin-17.0.9+9 (build 17.0.9+9)

Operating System and version

Docker image jenkins:lts-jdk17

Answer 1 · 2023-12-19T01:57:20.000Z

@grochoge thank you for reaching out. You are probably running into the same issue reported here - #2858 (comment)

The SDK 1.x logic that tries to guess the region from an endpoint does not work for vpce endpoints.

Which S3 API are you calling?

Answer 2 · 2023-12-20T00:02:49.000Z

In the case mentioned originally it's listing the bucket. But we'll also need getting/putting objects and creating signed URLs.

Answer 3 · 2023-12-29T10:31:41.000Z

we will forewed to senior

Answer 4 · 2024-06-19T00:26:57.000Z

Hi @grochoge

This won't get fixed in v1. A workaround is provided in my comment here. V2 s3 client code is generated so I don't think this is an issue in v2, but if you see otherwise please open a new issue in the v2 repo.

Reference:

Announcing end-of-support for AWS SDK for Java v1.x effective December 31, 2025 - blog post

Answer 5 · 2024-06-19T00:27:39.000Z

This issue is now closed.

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.