S3 endpoints not working 5.19.6 and 5.20.3rc :: Support Forum

mprewitt007
Joined:: 2018-11-29
Posts:: 12
Location:: United States

S3 endpoints not working 5.19.6 and 5.20.3rc

2022-06-02 17:38

Good Day,
We use S3 extensively and WinSCP is our preference.
Starting today we noticed that some of our buckets are getting this error:

The request signature we calculated does not match the signature you provided. Check your key and signing method.

I've posted the full error below and will upload a scrubbed log as well.
FileZilla Pro still works with no issue, and some S3 buckets work with no issue.
We've checked the IAM key and endpoints and tried this from other computers

The request signature we calculated does not match the signature you provided. Check your key and signing method.
Extra Details: AWSAccessKeyId: XXXXremovedXXXX, StringToSign: AWS4-HMAC-SHA256
20220602T163240Z
20220602/us-east-1/s3/aws4_request
98ae89429d771c6de6adac4db0063fb2a06be38c8ba0c36962586444e2b6f4ec, SignatureProvided: 51b7d1201f713d8cbf1ec3f586356b8a91da3960bda48ed1a2cb8a7fde3b4b92, StringToSignBytes: 41 57 53 34 2d 48 4d 41 43 2d 53 48 41 32 35 36 0a 32 30 32 32 30 36 30 32 54 31 36 33 32 34 30 5a 0a 32 30 32 32 30 36 30 32 2f 75 73 2d 65 61 73 74 2d 31 2f 73 33 2f 61 77 73 34 5f 72 65 71 75 65 73 74 0a 39 38 61 65 38 39 34 32 39 64 37 37 31 63 36 64 65 36 61 64 61 63 34 64 62 30 30 36 33 66 62 32 61 30 36 62 65 33 38 63 38 62 61 30 63 33 36 39 36 32 35 38 36 34 34 34 65 32 62 36 66 34 65 63, CanonicalRequest: GET
/XXXXX bucketname removed xxx/
delimiter=%2F&max-keys=1&prefix=ingest%2F
host:s3.amazonaws.com
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date:20220602T163240Z

host;x-amz-content-sha256;x-amz-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855, CanonicalRequestBytes: 47 45 54 0a 2f 74 65 6e 61 6e 74 2d 64 72 6f 70 31 34 2d 6f 64 6f 6e 6e 65 6c 6c 63 68 72 69 73 74 6f 70 68 65 72 2d 65 64 64 6d 2f 0a 64 65 6c 69 6d 69 74 65 72 3d 25 32 46 26 6d 61 78 2d 6b 65 79 73 3d 31 26 70 72 65 66 69 78 3d 69 6e 67 65 73 74 25 32 46 0a 68 6f 73 74 3a 73 33 2e 61 6d 61 7a 6f 6e 61 77 73 2e 63 6f 6d 0a 78 2d 61 6d 7a 2d 63 6f 6e 74 65 6e 74 2d 73 68 61 32 35 36 3a 65 33 62 30 63 34 34 32 39 38 66 63 31 63 31 34 39 61 66 62 66 34 63 38 39 39 36 66 62 39 32 34 32 37 61 65 34 31 65 34 36 34 39 62 39 33 34 63 61 34 39 35 39 39 31 62 37 38 35 32 62 38 35 35 0a 78 2d 61 6d 7a 2d 64 61 74 65 3a 32 30 32 32 30 36 30 32 54 31 36 33 32 34 30 5a 0a 0a 68 6f 73 74 3b 78 2d 61 6d 7a 2d 63 6f 6e 74 65 6e 74 2d 73 68 61 32 35 36 3b 78 2d 61 6d 7a 2d 64 61 74 65 0a 65 33 62 30 63 34 34 32 39 38 66 63 31 63 31 34 39 61 66 62 66 34 63 38 39 39 36 66 62 39 32 34 32 37 61 65 34 31 65 34 36 34 39 62 39 33 34 63 61 34 39 35 39 39 31 62 37 38 35 32 62 38 35 35, RequestId: GCBFKH2SK2H5R9KG, HostId: P0k6v48phktgDYZSstp98aLtyfO4LXS6d7vp8tzaycDGgV6nnidsg0AzVrFrpqPIoIuNXDH0KgI=
Connection failed.

session@s3.amazonaws.com.log (42.38 KB, Private file)

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,951
Location:: Prague, Czechia

Re: S3 endpoints not working 5.19.6 and 5.20.3rc

2022-06-06

Thanks for your report. Would you able to reproduce the problem with some test public bucket that you can share with us?

Reply with quote

mprewitt007
Joined:: 2018-11-29
Posts:: 12
Location:: United States

s3 endpoint issues

2022-06-07 17:29

Do you have a public test bucket in mind as none of our buckets are public.
We are able to access some bucket.
We did isolate that accelerated endpoints are not working.
Normal s3 some work, some don't.
All our buckets are in east-1.
The ones we have working have an aws transfer in front of them, so are using ppks for authentication instead of accesskey & secrets.
I have a client who can access it, but it drops connection every so often without retrying and he's having to manually reconnect. He's using 5.20rc3

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,951
Location:: Prague, Czechia

Re: s3 endpoint issues

2022-06-09

mprewitt007 wrote:

Do you have a public test bucket in mind as none of our buckets are public.

I understand that. I was asking you would be able to create a test public bucket that would have the problem.

The ones we have working have an aws transfer in front of them, so are using ppks for authentication instead of accesskey & secrets.

So actually does any S3 bucket work for you, when you are connecting using S3 protocol? The buckets you are accessing via SFTP are irrelevant to this problem.

Reply with quote

mprewitt007
Joined:: 2018-11-29
Posts:: 12
Location:: United States

s3 buckets

2022-06-09 17:45

Ok, after testing, only some buckets are not working, so we are double checking this.
We did realize that we were using an accelerated endpoint, not the default "s3.amazonaws.com"
We had accelerated a bucket, which provides a new bucket name.
Our other tools supported this, so we just assumed WinSCP did, but it apparently provides a 403 error in the logs using an accelerated path.
Is this a known issue?

Reply with quote

martin◆ Site Admin

Re: s3 buckets

2022-06-13

I've didn't hear about accelerated endpoint until now. I'll check that.

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,951
Location:: Prague, Czechia

Re: s3 buckets

2022-06-20

I have create a new bucket, enabled S3 transfer acceleration on it.

I've configured WinSCP to connect via s3-accelerate.amazonaws.com (instead of the default s3.amazonaws.com). But I still can work with the bucket without any problem.

Where do we differ? Can you post a session log file?

Reply with quote

ACG
Joined:: 2023-11-28
Posts:: 8
Location:: NL

Same issue, don't know what to do

2023-11-28 14:39

A supplier gave me the S3 endpoint and I am trying to connect with WinSCP but getting the following error

The request signature we calculated does not match the signature you provided. Check your key and signing method.
Extra Details: AWSAccessKeyId: XXXXremovedXXXX, StringToSign: AWS4-HMAC-SHA256
20231128T115438Z
20231128/eu-central-1/s3/aws4_request
f066766405090062e0cf5e71c50e2bf81e2b4a49a2a0612b01cef68fb0cca78b,
SignatureProvided: 5bd7a1b4d8167fb94d62d1e4a08f37e937a26bf0fb56e99538a8f60281f2ce39,
StringToSignBytes: 41 57 53 34 2d 48 4d 41 43 2d 53 48 41 32 35 36 0a 32 30 32 33 31 31 32 38 54 31 31 35 34 33 38 5a 0a 32 30 32 33 31 31 32 38 2f 65 75 2d 63 65 6e 74 72 61 6c 2d 31 2f 73 33 2f 61 77 73 34 5f 72 65 71 75 65 73 74 0a 66 30 36 36 37 36 36 34 30 35 30 39 30 30 36 32 65 30 63 66 35 65 37 31 63 35 30 65 32 62 66 38 31 65 32 62 34 61 34 39 61 32 61 30 36 31 32 62 30 31 63 65 66 36 38 66 62 30 63 63 61 37 38 62,
CanonicalRequest: GET
/[bucket subdirectory name/
max-keys=1
host:[bucket name].s3.eu-central-1.amazonaws.com
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date:20231128T115438Z

host;x-amz-content-sha256;x-amz-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855,
CanonicalRequestBytes: 47 45 54 0a 2f 6b 70 6d 67 2f 0a 6d 61 78 2d 6b 65 79 73 3d 31 0a 68 6f 73 74 3a 69 63 2d 69 6e 74 65 67 72 61 74 69 6f 6e 73 2e 73 33 2e 65 75 2d 63 65 6e 74 72 61 6c 2d 31 2e 61 6d 61 7a 6f 6e 61 77 73 2e 63 6f 6d 0a 78 2d 61 6d 7a 2d 63 6f 6e 74 65 6e 74 2d 73 68 61 32 35 36 3a 65 33 62 30 63 34 34 32 39 38 66 63 31 63 31 34 39 61 66 62 66 34 63 38 39 39 36 66 62 39 32 34 32 37 61 65 34 31 65 34 36 34 39 62 39 33 34 63 61 34 39 35 39 39 31 62 37 38 35 32 62 38 35 35 0a 78 2d 61 6d 7a 2d 64 61 74 65 3a 32 30 32 33 31 31 32 38 54 31 31 35 34 33 38 5a 0a 0a 68 6f 73 74 3b 78 2d 61 6d 7a 2d 63 6f 6e 74 65 6e 74 2d 73 68 61 32 35 36 3b 78 2d 61 6d 7a 2d 64 61 74 65 0a 65 33 62 30 63 34 34 32 39 38 66 63 31 63 31 34 39 61 66 62 66 34 63 38 39 39 36 66 62 39 32 34 32 37 61 65 34 31 65 34 36 34 39 62 39 33 34 63 61 34 39 35 39 39 31 62 37 38 35 32 62 38 35 35,
RequestId: C8Q9PNXXHPQPEFC3,
HostId: K2MfMucDzIk9QXCnQivd6Lqb3Ssdoa4imfAFWMsggf4Rlbo/5Km2mnABYpvC9J4arLReUEr63Ag=
Connection failed.

I have checked the key and that is ok. Any idea?

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,951
Location:: Prague, Czechia

Re: Same issue, don't know what to do

2023-11-30

@ACG: Are you sure you have the same issue? I.e. with accelerated endpoints? Anyway, please attach a full session log file showing the problem (using the latest version of WinSCP).

To generate the session log file, enable logging, log in to your server and do the operation and only the operation that causes the error. Submit the log with your post as an attachment. Note that passwords and passphrases not stored in the log. You may want to remove other data you consider sensitive though, such as host names, IP addresses, account names or file names (unless they are relevant to the problem). If you do not want to post the log publicly, you can mark the attachment as private.

Reply with quote

ACG
Joined:: 2023-11-28
Posts:: 8
Location:: NL

The request signature we calculated does not match the signature you provided. Check your key and si

2023-11-30 12:20

No sorry not using accelerated endpoints but the error is similar. Here the log.

I have already installed AWS CLI and can continue with that but still curious how the get it working in WinSCP.

session.log (13.87 KB)

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,951
Location:: Prague, Czechia

Re: The request signature we calculated does not match the signature you provided. Check your key and si

2023-12-05

The /KPMG should not be in the Host name. It should be in the Remote directory.
The next version will parse the path out of Host name box automatically:
Issue 2219 – Recognize path in Host name box on Login dialog

And what is ic-integrations?

Reply with quote

ACG

2023-12-05 10:18

ic-integration is bucket name, kpmg is bucket subdirectory name. I forgot to hide these probably

I have tried a lot of different variants, also using remote directory, but none of these worked unfortunatly

Reply with quote

martin◆ Site Admin

2023-12-05

@ACG: Ok, in general, do not modify the Host name.
The bucket name goes to the Remote directory.
See https://winscp.net/eng/docs/guide_amazon_s3#buckets

Reply with quote

ACG
Joined:: 2023-11-28
Posts:: 8
Location:: NL

tried but did not succeed

2023-12-06 11:18

Log.

session.log (9.37 KB)

Reply with quote

ACG

Now I use AWS CLI which works

2023-12-06 11:19

Now I use AWS CLI which works

Reply with quote

martin◆ Site Admin

Re: Now I use AWS CLI which works

2023-12-07

Can you post AWS CLI log too?

Reply with quote

ACG
Joined:: 2023-11-28
Posts:: 8
Location:: NL

2023-12-07 09:19

AWS log.

aws.log (31.56 KB)

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,951
Location:: Prague, Czechia

2023-12-12

Thanks.

The awscli uses eu-central-1 region. That is not the default region. Did you configure it somehow? Wouldn't WinSCP work, if you configure it to use eu-central-1 by default? https://winscp.net/eng/docs/ui_login_s3
The awslog shows only upload. Isn't it possible that you have only upload/write access to the bucket, but not read/listing permissions? Can you do ls in awscli? Can you post log for that?

Reply with quote

ACG
Joined:: 2023-11-28
Posts:: 8
Location:: NL

2023-12-12 17:02

I have set eu-central-1 in the Default region (Advanced Site Settings => S3 => Protocol options => Default region)
ls gives

An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

so that might be the issue for doing this with WinSCP

Reply with quote