Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Announcement: S3 default integrity change #9214

Open
RyanFitzSimmonsAK opened this issue Jan 16, 2025 · 16 comments
Open

Announcement: S3 default integrity change #9214

RyanFitzSimmonsAK opened this issue Jan 16, 2025 · 16 comments

Comments

@RyanFitzSimmonsAK
Copy link
Contributor

RyanFitzSimmonsAK commented Jan 16, 2025

In AWS CLI v2.23.0, we released changes to the S3 client that adopts new default integrity protections. For more information on default integrity behavior, please refer to the official SDK documentation. In SDK releases from this version on, clients default to enabling an additional checksum on all Put calls and enabling validation on Get calls.
You can disable default integrity protections for S3. We do not recommend this because checksums are important to S3 integrity posture. Integrity protections can be disabled by setting the config flag to when_required, or by using the related AWS shared config file settings or environment variables.

Disclaimer: The AWS SDKs and CLI are designed for usage with official AWS services. We may introduce and enable new features by default, such as these new default integrity protections prior to them being supported or handled by third-party service implementations. You can disable the new behavior with the WHEN_REQUIRED value for the request_checksum_calculation and response_checksum_validation configuration options covered in Data Integrity Protections for Amazon S3.

@RyanFitzSimmonsAK RyanFitzSimmonsAK added needs-triage This issue or PR still needs to be triaged. source-distribution cli v2 source distritbution related issues announcement and removed needs-triage This issue or PR still needs to be triaged. source-distribution cli v2 source distritbution related issues labels Jan 16, 2025
@RyanFitzSimmonsAK RyanFitzSimmonsAK pinned this issue Jan 16, 2025
@Badb0yBadb0y
Copy link

Not sure is it related but since users started to use 2.23.0 aws, the put operation to s3 ceph storage doesn't work.
upload failed: ./online.txt to s3://bucket/online.txt An error occurred (MissingContentLength) when calling the PutObject operation: Unknown

Config looks like this:

cat /root/.aws/config
[default]
region = data
output = json
response_checksum_validation = when_required

How I try to upload:
/usr/local/bin/aws --endpoint=https://endpoint --no-verify-ssl s3 cp online.txt s3://bucket/

The object is a 4MB object.

Also tried to define --content-length 14, seems like this option skipped.

@stevyn81
Copy link

breaks uploading to backblaze also:

An error occurred (InvalidArgument) when calling the PutObject operation: Unsupported header 'x-amz-sdk-checksum-algorithm' received for this API call.

@phiz71
Copy link

phiz71 commented Jan 16, 2025

Hello. I have also migrated to 2.23.0, and now I have this kind of error when trying to synchronise files

~$ aws s3 sync folder_to_sync s3://custom/ --profile default --endpoint-url https://my-endpoint --acl public-read

upload failed: folder_to_sync/path/to/zip/file.zip to s3://custom/path/to/zip/file.zip argument of type 'NoneType' is not iterable

Did I miss something? Is there a breaking change I'm not aware of?

@DifferentialOrange
Copy link

DifferentialOrange commented Jan 16, 2025

Yeah, my CI is also started to fail with

An error occurred (InvalidArgument) when calling the UploadPart operation: x-amz-content-sha256 must be UNSIGNED-PAYLOAD, STREAMING-AWS4-HMAC-SHA256-PAYLOAD, or a valid sha256 value.

@kayvanaarssen
Copy link

We also have issues on multiple servers and different endpoints.
Errors:

upload failed: .ploi/asset-db-2025-01-16-113817.tar to s3://ploibackups/asset-db-2025-01-16-113817.tar An error occurred (MissingContentLength) when calling the PutObject operation: Unknown
An error occurred (InvalidArgument) when calling the CreateMultipartUpload operation: Unsupported header 'x-amz-checksum-algorithm' received for this API call.

upload failed: .ploi/test55-db-2025-01-16-095732.zip to s3://ploitesting213/test55-db-2025-01-16-095732.zip An error occurred (InvalidRequest) when calling the PutObject operation: The algorithm type you specified in x-amz-checksum- header is invalid.

adding: APPNAME-wp-1737017385.sql (deflated 86%) urllib3/connectionpool.py:1064: InsecureRequestWarning: Unverified HTTPS request is being made to host 's3.eu-central-1.wasabisys.com'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings upload failed: .ploi/APPNAME-wp-db-2025-01-16-094945.zip to s3://web01-prod-CLIENTNAME-nl/web01-CLIENTNAME-db/APPNAME-wp-db-2025-01-16-094945.zip An error occurred (InvalidRequest) when calling the CreateMultipartUpload operation: Checksum algorithm provided is unsupported. Please try again with any of the valid types: [CRC32, CRC32C, SHA1, SHA256]

@Cannonb4ll
Copy link

Cannonb4ll commented Jan 16, 2025

I've debugged this a bit, version 2.23 should work just fine if you use the AWS S3 service, but if you're using your own endpoint/service then the errors described above will happen, for people that absolutely need to get this working as soon as possible and used snap to install it, run the following script as root.

#!/bin/bash
snap remove aws-cli
if [[ $(uname -m) == "x86_64" ]]; then
    snap install aws-cli --classic --revision=1148
else
    snap install aws-cli --classic --revision=1149
fi

snap refresh --hold aws-cli

This forces the version 2.22.35 so you can get moving, it will also disable the automatic refresh of the AWS CLI package. If you want to resume updates later, run: sudo snap refresh --unhold aws-cli

A list of the revisions:

1152 = v2.23.0 (amd64) - Latest version
1151 = v2.23.0 (arm64)
1150 = v1.36.40 (amd64)
1149 = v2.22.35 (arm64) - The version we want for ARM64
1148 = v2.22.35 (amd64) - The version we want for AMD64
1147 = v1.36.39 (arm64)
1146 = v1.36.39 (amd64)

This will get you a bit of time to see how to upgrade and get 2.23 working properly.

@SamRemis
Copy link
Member

If you need to download a specific version of the CLI for any reason, please do so using the official AWS installation instructions which can be found at the links below:

@jonathan343
Copy link
Contributor

For those using third-party service implementations, please see the updated disclaimer above:

Disclaimer: The AWS SDKs and CLI are designed for usage with official AWS services. We may introduce and enable new features by default, such as these new default integrity protections prior to them being supported or handled by third-party service implementations. You can disable the new behavior with the WHEN_REQUIRED value for the request_checksum_calculation and response_checksum_validation configuration options covered in Data Integrity Protections for Amazon S3.

@metadaddy
Copy link

metadaddy commented Jan 17, 2025

Hi @RyanFitzSimmonsAK & @jonathan343 - The request_checksum_calculation and response_checksum_validation configuration options do work correctly with the low-level s3api get_object and put_object CLI operations, but the high-level s3 cp operation does not work with third-party services, even if both request_checksum_calculation and response_checksum_validation are set to WHEN_REQUIRED.

What seems to be happening is that the S3 Transfer Manager ensures that ChecksumAlgorithm is set, either to the user-specified value, or CRC64NVME (see the set_default_checksum_algorithm() function, added just a couple of days ago, here).

Now, in Botocore's resolve_request_checksum_algorithm() function, request_checksum_required evaluates to False, as you might expect, but, since ChecksumAlgorithm is set in the incoming params, if algorithm_member and algorithm_member in params: evaluates to True and the checksum headers are calculated and sent in the request.

The issue seems to be in S3 Transfer Manager - I think that, if request_checksum_calculation is set to WHEN_REQUIRED, it should not set a default ChecksumAlgorithm at all.

@RyanFitzSimmonsAK
Copy link
Contributor Author

Hi @metadaddy, thanks for bringing this to our attention. Our investigation matches what you described. A default value we specified in s3transfer is taking precedence over the “when_required” config and setting a CRC32 default checksum. We’ll work on addressing this issue and provide more updates when we have them. We will use the issue you made in s3transfer (boto/s3transfer#327) to track this.

@metadaddy
Copy link

Thanks for the confirmation, @RyanFitzSimmonsAK. I just submitted a PR with a fix, and tests: boto/s3transfer#328.

spantaleev added a commit to spantaleev/matrix-docker-ansible-deploy that referenced this issue Jan 19, 2025
…torage-provider to prevent issues with non-AWS S3 providers

Fixes #3964

Related to aws/aws-cli#9214
@BlazeIsClone
Copy link

BlazeIsClone commented Jan 20, 2025

Got this error: argument of type 'NoneType' is not iterable. Then downgraded my version, seems to be working as expected now: pip install awscli==1.36.0. (Bucket hosted in Digital Ocean Spaces)

@ssolanki38
Copy link

We are using the AWS CLI to push data to SwiftStack Client. We're using the 3 commands: aws s3api create-multipart-upload, aws s3api upload-part, and aws s3api complete-multipart-upload.

Using AWS CLI version 2.23.1, we're suddenly seeing a previously mentioned error with the upload-part command:

An error occurred (InvalidArgument) when calling the UploadPart operation: x-amz-content-sha256 must be UNSIGNED-PAYLOAD, or a valid sha256 value.

Trying to set the checksum type flags is not working, and i don't see an option to use "when_required" - how can we fix this?

@instadeep-vbr
Copy link

instadeep-vbr commented Jan 22, 2025

Hi @ssolanki38 ,
In order to deactivate this feature, you can set those
environment variables

export AWS_REQUEST_CHECKSUM_CALCULATION=when_required
export AWS_RESPONSE_CHECKSUM_VALIDATION=when_required

@LenzGr
Copy link

LenzGr commented Jan 22, 2025

Hi @ssolanki38 , In order to deactivate this feature, you can set those environment variables

Note: these are the v1 CLI docs.

export AWS_REQUEST_CHECKSUM_CALCULATION=when_required
export AWS_RESPONSE_CHECKSUM_VALIDATION=when_required

The v2 CLI docs about environment variables mention these variables too, but they don't seem to work.

I just tested using aws s3 cp to upload a file to a bucket hosted on Ceph Object Gateway using aws-cli v2.23.2 on macOS. It fails with upload failed: <file> to <bucket> argument of type 'NoneType' is not iterable, even when AWS_REQUEST_CHECKSUM_CALCULATION and AWS_RESPONSE_CHECKSUM_VALIDATION are set to when_required.

@keshavattrey
Copy link

Got this error: argument of type 'NoneType' is not iterable. Then downgraded my version, seems to be working as expected now: pip install awscli==1.36.0. (Bucket hosted in Digital Ocean Spaces)

Hi @BlazeIsClone - just wanted to let you know, as of January 21, DigitalOcean Spaces Object Storage has resolved the AWS CLI/SDK incompatibility issues for the vast majority of Spaces customers.

https://status.digitalocean.com/incidents/zbrpd3j7hrrd

If you're still having issues after you upgrade to the latest AWS CLI/SDK (or if you need us to confirm on our side that your Spaces buckets are no longer affected by this incompatibility), please open a support ticket from within your account, and we'll be happy to help.

Keshav Attrey
Sr. Product Manager, DigitalOcean Spaces

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests