aws-sdk-s3: intermittent SignatureDoesNotMatch errors

[grk]

Describe the bug

Uploading a file with specific unicode characters in filename causes intermittent signature errors.

Expected Behavior

The file should upload every time.

Current Behavior

The upload fails with

The request signature we calculated does not match the signature you provided. Check your key and signing method. (Aws::S3::Errors::SignatureDoesNotMatch)

and succeeds eventually after a few tries.

Reproduction Steps

client = Aws::S3::Client.new(...)
client.put_object(content_type: "text/plain", content_disposition: "inline; filename=\"נ\"", acl: 'private', cache_control: 'private, no-transform, max-age=3600, must-revalidate', server_side_encryption: 'AES256', bucket: 'some-bucket', key: "some-key", body: "foobar")

causes

[...]ruby/3.3.2/lib/ruby/gems/3.3.0/gems/aws-sdk-core-3.197.0/lib/seahorse/client/plugins/raise_response_errors.rb:18:in `call': The request signature we calculated does not match the signature you provided. Check your key and signing method. (Aws::S3::Errors::SignatureDoesNotMatch)

hooking into the response of the failing requests gives the following output:

irb(#<Seahorse::Client::Plugins::...):004> context.http_response.body.read
=> "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><AWSAccessKeyId>[...]</AWSAccessKeyId><StringToSign>AWS4-HMAC-SHA256\n20240607T124923Z\n20240607/us-east-1/s3/aws4_request\nc2173ad73cd3dcc7e19a88cd7dc3e37c804a72bd36c3288af2ceaddca4fb84ce</StringToSign><SignatureProvided>ca0910ef5b5ed790804b222c07e19f00e7ea967772d95b7853e893c00e36e344</SignatureProvided><StringToSignBytes>41 57 53 34 2d 48 4d 41 43 2d 53 48 41 32 35 36 0a 32 30 32 34 30 36 30 37 54 31 32 34 39 32 33 5a 0a 32 30 32 34 30 36 30 37 2f 75 73 2d 65 61 73 74 2d 31 2f 73 33 2f 61 77 73 34 5f 72 65 71 75 65 73 74 0a 63 32 31 37 33 61 64 37 33 63 64 33 64 63 63 37 65 31 39 61 38 38 63 64 37 64 63 33 65 33 37 63 38 30 34 61 37 32 62 64 33 36 63 33 32 38 38 61 66 32 63 65 61 64 64 63 61 34 66 62 38 34 63 65</StringToSignBytes><CanonicalRequest>PUT\n/[bucket_name]\n\namz-sdk-invocation-id:d65925f2-96de-4b6a-9f42-43452266ab01\ncache-control:private, no-transform, max-age=3600, must-revalidate\ncontent-disposition:inline; filename=\"� \"\ncontent-md5:OFj2IjCsPJFfMAxmQxLGPw==\ncontent-type:text/plain\nhost:[host]\nx-amz-acl:private\nx-amz-content-sha256:c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2\nx-amz-date:20240607T124923Z\nx-amz-server-side-encryption:AES256\n\namz-sdk-invocation-id;cache-control;content-disposition;content-md5;content-type;host;x-amz-acl;x-amz-content-sha256;x-amz-date;x-amz-server-side-encryption\nc3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2</CanonicalRequest><CanonicalRequestBytes>[...]</CanonicalRequestBytes><RequestId>DWH3G1C8CH1B1X4P</RequestId><HostId>7yW3Xj8rGL4Pesy70A/xjgGj+RuS1DD8coEHdunUeFsxXz9c6hD4uawPhZlzh8evKYya4nu2fIKO8GSS9wiEUA==</HostId></Error>"

(omitted bucket names and thus CanonicalRequestBytes, please let me know if they would be useful for debugging).

Possible Solution

No response

Additional Information/Context

No response

Gem name ('aws-sdk', 'aws-sdk-resources' or service gems like 'aws-sdk-s3') and its version

aws-sdk-s3 1.152.0

Environment details (Version of Ruby, OS environment)

macos 14.5, ruby 3.3.2

[mullermp]

Thank you for opening an issue. We've seen another report of this, we're currently investigating. I am also using the latest versions s3 1.152.0 and core 3.197.0 source from github. By chance is your bucket in us-east-1? Do you encounter any issue with other regions such as us-west-2?

[mullermp]

Based on what I can tell, I am inclined to believe this is a service side issue. Trying very old SDK versions, old Ruby versions, and old OpenSSL versions, I can sometimes reproduce this. I'll engage S3.

[mullermp]

Are you still seeing this? I'm not able to consistently reproduce anymore.

[mullermp]

This is no longer happening as far as I can tell. We have an internal support ticket where we are asking S3 for an investigation and root cause. I am closing this for now. Please comment if you're still seeing this.

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.

[grk]

Thanks for resolving this, was on vacation and couldn't reply. We worked around that by escaping the filename with Rails built-in ActionDispatch::Http::ContentDisposition.format (https://github.com/rails/rails/blob/main/actionpack/lib/action_dispatch/http/content_disposition.rb#L8)

[mullermp]

You shouldn't need to do anything different. It was an issue on the service side. They were trying to fix an issue but their fix caused this issue. It's actively being worked on again.