Can't access to my aws s3 anymore : SignatureDoesNotMatch

vince3948 · December 9, 2022, 3:40pm

What is the problem you are having with rclone?

Hi, since 2 days, I can't access to my aws bucket s3 anymore. I have an error when I try to access it :

# rclone lsd aws-s3:/ -vv
2022/12/09 16:08:50 DEBUG : rclone: Version "v1.60.1" starting with parameters ["rclone" "lsd" "aws-s3:/" "-vv"]
2022/12/09 16:08:50 DEBUG : Creating backend with remote "aws-s3:/"
2022/12/09 16:08:50 DEBUG : Using config file from "/root/.config/rclone/rclone.conf"
2022/12/09 16:08:50 DEBUG : fs cache: renaming cache item "aws-s3:/" to be canonical "aws-s3:"
2022/12/09 16:08:50 ERROR : : error listing: SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your key and signing method.
    status code: 403, request id: XXXXX, host id: XXXXXXX=
2022/12/09 16:08:50 DEBUG : 4 go routines active
2022/12/09 16:08:50 Failed to lsd with 2 errors: last error was: SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your key and signing method.
    status code: 403, request id: XXXXXXXXXXXX, host id: XXXXXXXX=
Can't access to aws s3 anymore : SignatureDoesNotMatch


# My credentials are OK, it works with "aws" cli, when I fake it in my rclone conf I have this error : 
ERROR : : error listing: InvalidAccessKeyId: The AWS Access Key Id you provided does not exist in our records.

#And I tried too with v2-auth = true , this error : 
ERROR : : error listing: InvalidRequest: The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256.

Run the command 'rclone version' and share the full output of the command.

# rclone version
rclone v1.60.1
- os/version: centos 7.9.2009 (64 bit)
- os/kernel: 5.4.203-1-pve (x86_64)
- os/type: linux
- os/arch: amd64
- go/version: go1.19.3
- go/linking: static
- go/tags: none

Which cloud storage system are you using? (eg Google Drive)

Amazon s3

The command you were trying to run (eg `rclone copy /tmp remote:tmp`)

rclone lsd aws-s3:/ -vv

The rclone config contents with secrets removed.

[backup-aws]
type = s3
provider = AWS
access_key_id = xxxxxxxxxxxxxxx
secret_access_key = xxxxxxxxxxxx
session_token = xxxxxxxxxxxxxxx
region = eu-west-3
location_constraint = eu-west-3
acl = private

A log from the command with the `-vv` flag

2022/12/09 16:13:47 DEBUG : rclone: Version "v1.60.1" starting with parameters ["rclone" "lsd" "backup-aws:/" "-vv"]
2022/12/09 16:13:47 DEBUG : Creating backend with remote "backup-aws:/"
2022/12/09 16:13:47 DEBUG : Using config file from "/root/.config/rclone/rclone.conf"
2022/12/09 16:13:47 DEBUG : fs cache: renaming cache item "backup-aws:/" to be canonical "backup-aws:"
2022/12/09 16:13:47 ERROR : : error listing: SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your key and signing method.
    status code: 403, request id: XXXXXXXXXX, host id: XXXXXXXXXX=
2022/12/09 16:13:47 DEBUG : 4 go routines active
2022/12/09 16:13:47 Failed to lsd with 2 errors: last error was: SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your key and signing method.
    status code: 403, request id: XXXXXXXXXX, host id: XXXXXXXXXX=

asdffdsa · December 9, 2022, 4:10pm

hi,

what do you mean, fake it?
how are you dealing with the session token with rclone?
could be that the error listing: InvalidAccessKeyId is from the session token, not from the rclone config value.

did you recently update rclone, does an older version of rclone work?

could try https://rclone.org/s3/#authentication
rclone can use the profile from aws cli

use a named profile:

    Profile files are standard files used by AWS CLI tools
    By default it will use the profile in your home directory (e.g. ~/.aws/credentials on unix based systems) file and the "default" profile, to change set these environment variables:
        AWS_SHARED_CREDENTIALS_FILE to control which file.
        AWS_PROFILE to control which profile to use.

vince3948 · December 9, 2022, 10:16pm

I mean put fake key ID or access ID to see if the error become of my credentials or not, and this is not a case, my credentials are valid.

I make an aws assume role before and get the token to put it in rclone conf :

aws sts assume-role --role-arn "arn:aws:iam::$arn" --role-session-name AWSCLI-Session --duration-second $tokenDuration)

It works like a charm since severals months but since 2 days it's KO.

I don't update rclone since the initial setup few months ago, i think it was in v1.5x a thing like that, I try today to update in 1.60.1 to see if the error disapear but there is the same.

I try also with the rclone beta version but same error.

I suspect an update on the AWS side ( signature methode or something like that ?) since 2 days which makes connecting to an AWS s3 with rclone impossible.

Regards
vince

vince3948 · December 12, 2022, 9:20am

Hi,
I try also to update my aws cli and same error with rclone, I remind it works with the aws cli but not with rclone.

# aws --version
aws-cli/2.9.6 Python/3.9.11 Linux/5.4.203-1-pve exe/x86_64.centos.7 prompt/off

# rclone lsd aws-s3:backup-dir -vvv
2022/12/12 10:20:26 DEBUG : rclone: Version "v1.60.1" starting with parameters ["rclone" "lsd" "aws-s3:backup-dir" "-vvv"]
2022/12/12 10:20:26 DEBUG : Creating backend with remote "aws-s3:backup-dir"
2022/12/12 10:20:26 DEBUG : Using config file from "/root/.config/rclone/rclone.conf"
2022/12/12 10:20:27 ERROR : : error listing: SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your key and signing method.
	status code: 403, request id: XXXXXXXX, host id: XXXXXX==
2022/12/12 10:20:27 DEBUG : 4 go routines active
2022/12/12 10:20:27 Failed to lsd with 2 errors: last error was: SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your key and signing method.
	status code: 403, request id: XXXXXXXX, host id: XXXXXX==

asdffdsa · December 12, 2022, 2:00pm

so far, not seeing AWS issues.

[aws]
type = s3
provider = AWS
session_token = redacted
sse_customer_algorithm = AES256
sse_customer_key = redacted
access_key_id = redacted
secret_access_key = redacted
endpoint = s3.us-east-1.amazonaws.com

rclone lsd aws:en.keepass
   0 2022-12-12 08:53:18        -1 Plugins
   0 2022-12-12 08:53:18        -1 XSL
   0 2022-12-12 08:53:18        -1 database
   0 2022-12-12 08:53:18        -1 key
   0 2022-12-12 08:53:18        -1 scripts

asdffdsa · December 12, 2022, 4:05pm

i think, i can replicate you issue.

choose an existing valid access_key_id but not the key associated with the the session token
and then i get the same error.

An error occurred (SignatureDoesNotMatch). The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method

vince3948 · December 13, 2022, 8:27am

Hi, thank you, you put me on the track, it was that, my secret_access_key is finally wrong, my sed in my script don't do the search/remplace correctly for the secret_access_key.
It's OK now, have a nice day.

asdffdsa · December 13, 2022, 8:15pm

yes, have a nice day

system · December 16, 2022, 8:16pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.