Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MissingRegion on S3 GetObject in v1.25.18 #2909

Closed
jrefior opened this issue Oct 24, 2019 · 10 comments · Fixed by #2911 or #2916
Closed

MissingRegion on S3 GetObject in v1.25.18 #2909

jrefior opened this issue Oct 24, 2019 · 10 comments · Fixed by #2911 or #2916
Labels
bug This issue is a bug.

Comments

@jrefior
Copy link

jrefior commented Oct 24, 2019
edited

Version of AWS SDK for Go?

v1.25.18

Version of Go (go version)?

go version go1.13.3 darwin/amd64

What issue did you see?

Failed to get file: MissingRegion: could not find region configuration

Steps to reproduce

    creds := stscreds.NewCredentials(session.Must(session.NewSession()), arn)
    cfg := aws.NewConfig().WithCredentials(creds).WithRegion(`us-east-1`)
    client := s3.New(sess, cfg)
    input := &s3.GetObjectInput{
        Bucket: aws.String(getBucketForEnv(env)),
        Key:    aws.String(getFileNameForEnv(env)),
    }
    output, err := client.GetObject(input)
    if err != nil {
        return nil, fmt.Errorf("Failed to get file: %s", err)
    }

This works in release v1.25.17, but not in v1.25.18. How do we adjust our code for the new release?
@jasonmf
Copy link

jasonmf commented Oct 24, 2019

I get this same issue using STS to make IAM calls.

As an additional data point, some services (like Hashicorp Vault) use signed but unsubmitted GetCallerIdentity calls as an authentication mechanism. This client code no longer works but worked fine with v1.25.17:

        stsReq, _ := sts.New(p.session).GetCallerIdentityRequest(nil)
        stsReq.Sign()
        headersJson, err := json.Marshal(stsReq.HTTPRequest.Header)
        if err != nil {
                return nil, time.Time{}, errors.Wrap(err, "marshalling STS request header")
        }
        reqBody, err := ioutil.ReadAll(stsReq.HTTPRequest.Body)
        if err != nil {
                return nil, time.Time{}, errors.Wrap(err, "reading sts request body")
        }
        log.Printf("REQBODY: %s", string(reqBody))

reqBody is now empty.

Best guess: a breaking change to the SDK API was made and tagged as a minor revision.

jasonmf pushed a commit to jasonmf/revault that referenced this issue Oct 24, 2019
dependency: aws-sdk-go v1.25.18 -> v1.25.17 for aws/aws-sdk-go#2909
a769ad2
@jasdel jasdel added the bug This issue is a bug. label Oct 24, 2019
@jasdel
Copy link
Contributor

jasdel commented Oct 24, 2019

Thanks for letting us know about this issue. Could you provide more information about how the passed in Session is configured? In addition what region is the STS client being configured for?

@jasdel
Copy link
Contributor

jasdel commented Oct 24, 2019

@AgentZombie What error is being returned from the stsReq.Sign() method call?

@jasdel
Copy link
Contributor

jasdel commented Oct 24, 2019

I think we have an idea what is going on here, with the following example easily reproduces the behavior change.

	client := sts.New(session.Must(session.NewSession()))

	req, _ := client.GetCallerIdentityRequest(nil)
	err := req.Sign()
	fmt.Println("err", err)

On v1.25.17 Sign has no error, but fails with missing region on v1.25.18.

@jasdel
Copy link
Contributor

jasdel commented Oct 24, 2019
edited

The issue occurring prior to v1.25.18 is that the SDK was incorrectly allowing no region to be specified for the STS client. The SDK is supposed to require a region for all clients, but STS was escaping that validation due to a bug in how the SDK resolved the service's modeled endpoints.

The behavior prior to v1.25.18 is definition a bug in the SDK's endpoint resolver incorrectly resolving the global sts.amazonaws.com region instead of producing an error when no region was configured. From what I can determine STS was the only client that could be created without validation catching that no region was specified.

The best workaround for this issue without reverting to v1.25.17 is to specify the region for the STS client. We're investigating how best to cover the case where STS was usable without a region, even though one should of been required.

@jasonmf
Copy link

jasonmf commented Oct 24, 2019

I wasn't catching the Sign error! I am now: MissingRegion: could not find region configuration

My session being passed in:

sess, err := awsiam.EnvironmentSession()
fatalIfError(err, "getting AWS session from environment")

where:

func EnvironmentSession() (*session.Session, error) {
        creds := credentials.NewChainCredentials(
                []credentials.Provider{
                        &credentials.EnvProvider{},
                        &ec2rolecreds.EC2RoleProvider{
                                Client: ec2metadata.New(session.Must(session.NewSession())),
                        },
                },
        )
        sess, err := session.NewSessionWithOptions(session.Options{
                Config: aws.Config{Credentials: creds},
        })
        if err != nil {
                return nil, errors.Wrap(err, "creating STS session")
        }
        return sess, nil
}

@jrefior
Copy link
Author

jrefior commented Oct 24, 2019

Thanks, our code is now working in v1.25.18 and v1.25.19 with this change:

-       creds := stscreds.NewCredentials(session.Must(session.NewSession()), arn)
+       creds := stscreds.NewCredentials(session.Must(session.NewSession(&aws.Config{
+               Region: aws.String(region),
+       })), arn)

@jasonmf
Copy link

jasonmf commented Oct 24, 2019

Can confirm my issue is resolve using v1.25.18 with:

sess, err := awsiam.EnvironmentSession()
fatalIfError(err, "getting AWS session from environment")
sess.Config.Region = aws.String("us-west-2")

@jasdel
Copy link
Contributor

jasdel commented Oct 24, 2019

Thanks for the update. This exposed a behavior bug in the SDK's resolving of endpoints for multiple services. Specifically, the SDK will attempt to resolve "global" AWS services without a region also being specified. We're investigating the best way to resolve this issue.

jasdel added a commit to jasdel/aws-sdk-go that referenced this issue Oct 25, 2019
@jasdel
aws/endpoints: Fix resolve endpoint with empty region
09a938b 
Fixes the SDK's behavior when attempting to resolve a service's endpoint
when no region was provided. Adds legacy support for services that were
able to resolve a valid endpoint. No new service will support resolving
an endpoint without an region.

Fixes aws#2909
@jasdel jasdel mentioned this issue Oct 25, 2019
Merged
jasdel added a commit that referenced this issue Oct 25, 2019
@jasdel
aws/endpoints: Fix resolve endpoint with empty region (#2911)
506b1fd 
Fixes the SDK's behavior when attempting to resolve a service's endpoint
when no region was provided. Adds legacy support for services that were
able to resolve a valid endpoint. No new service will support resolving
an endpoint without an region.

Fixes #2909
@jasdel
Copy link
Contributor

jasdel commented Oct 25, 2019
edited

Thanks for reporting this issue. I've merged in #2911 fixing the SDK's behavior with regard to empty region when resolving service endpoints. This change preserved the SDK's behavior for clients that successfully returned an endpoint even though no region was provided. For all other services, a more useful error message is logged.

This change will be included in the SDK's next tagged release.

aws-sdk-go-automation pushed a commit that referenced this issue Oct 28, 2019
Release v1.25.20 (2019-10-28)
ef98bdd 
===

### Service Client Updates
* `service/ecr`: Updates service API, documentation, and paginators
  * This release of Amazon Elastic Container Registry Service (Amazon ECR) introduces support for image scanning. This identifies the software vulnerabilities in the container image based on the Common Vulnerabilities and Exposures (CVE) database.
* `service/elasticache`: Updates service API and documentation
  * Amazon ElastiCache adds support for migrating Redis workloads hosted on Amazon EC2 into ElastiCache by syncing the data between the source Redis cluster and target ElastiCache for Redis cluster in real time. For more information, see https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/migrate-to-elasticache.html.
* `service/transfer`: Updates service API and documentation
  * This release adds logical directories support to your AWS SFTP server endpoint, so you can now create logical directory structures mapped to Amazon Simple Storage Service (Amazon S3) bucket paths for users created and stored within the service. Amazon S3 bucket names and paths can now be hidden from AWS SFTP users, providing an additional level of privacy to meet security requirements. You can lock down your SFTP users' access to designated folders (commonly referred to as 'chroot'), and simplify complex folder structures for data distribution through SFTP without replicating files across multiple users.

### SDK Enhancements
* `aws/client`: Add PartitionID to Config ([#2902](#2902))
* `aws/client/metadata`: Add PartitionID to ClientInfo ([#2902](#2902))
* `aws/endpoints`: Add PartitionID to ResolvedEndpoint ([#2902](#2902))

### SDK Bugs
* `aws/endpoints`: Fix resolve endpoint with empty region ([#2911](#2911))
  * Fixes the SDK's behavior when attempting to resolve a service's endpoint when no region was provided. Adds legacy support for services that were able to resolve a valid endpoint. No new service will support resolving an endpoint without an region.
  * Fixes [#2909](#2909)
Merged
aws-sdk-go-automation added a commit that referenced this issue Oct 28, 2019
@aws-sdk-go-automation
Release v1.25.20 (2019-10-28) (#2916)
8d91b6a 
Release v1.25.20 (2019-10-28)
===

### Service Client Updates
* `service/ecr`: Updates service API, documentation, and paginators
  * This release of Amazon Elastic Container Registry Service (Amazon ECR) introduces support for image scanning. This identifies the software vulnerabilities in the container image based on the Common Vulnerabilities and Exposures (CVE) database.
* `service/elasticache`: Updates service API and documentation
  * Amazon ElastiCache adds support for migrating Redis workloads hosted on Amazon EC2 into ElastiCache by syncing the data between the source Redis cluster and target ElastiCache for Redis cluster in real time. For more information, see https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/migrate-to-elasticache.html.
* `service/transfer`: Updates service API and documentation
  * This release adds logical directories support to your AWS SFTP server endpoint, so you can now create logical directory structures mapped to Amazon Simple Storage Service (Amazon S3) bucket paths for users created and stored within the service. Amazon S3 bucket names and paths can now be hidden from AWS SFTP users, providing an additional level of privacy to meet security requirements. You can lock down your SFTP users' access to designated folders (commonly referred to as 'chroot'), and simplify complex folder structures for data distribution through SFTP without replicating files across multiple users.

### SDK Enhancements
* `aws/client`: Add PartitionID to Config ([#2902](#2902))
* `aws/client/metadata`: Add PartitionID to ClientInfo ([#2902](#2902))
* `aws/endpoints`: Add PartitionID to ResolvedEndpoint ([#2902](#2902))

### SDK Bugs
* `aws/endpoints`: Fix resolve endpoint with empty region ([#2911](#2911))
  * Fixes the SDK's behavior when attempting to resolve a service's endpoint when no region was provided. Adds legacy support for services that were able to resolve a valid endpoint. No new service will support resolving an endpoint without an region.
  * Fixes [#2909](#2909)
@nhinds nhinds mentioned this issue Oct 29, 2019
Closed
skotambkar added a commit to aws/aws-sdk-go-v2 that referenced this issue Dec 12, 2019
@skotambkar
Release v01.8.0 (2019-12-12)
55aea51 
===

Services
---
* Synced the V2 SDK with latest AWS service API definitions.

SDK Bugs
---
* `aws/endpoints`: aws/endpoints: Fix SDK resolving endpoint without region ([#420](#420))
  * Fixes the SDK's endpoint resolve incorrectly resolving endpoints for a service when the region is empty. Also fixes the SDK attempting to resolve a service when the service value is empty.
  * Related to [aws/aws-sdk-go#2909](aws/aws-sdk-go#2909)
skotambkar added a commit to aws/aws-sdk-go-v2 that referenced this issue Dec 12, 2019
@skotambkar
Release v0.18.0 (2019-12-12)
749f19c 
===

Services
---
* Synced the V2 SDK with latest AWS service API definitions.

SDK Bugs
---
* `aws/endpoints`: aws/endpoints: Fix SDK resolving endpoint without region ([#420](#420))
  * Fixes the SDK's endpoint resolve incorrectly resolving endpoints for a service when the region is empty. Also fixes the SDK attempting to resolve a service when the service value is empty.
  * Related to [aws/aws-sdk-go#2909](aws/aws-sdk-go#2909)
skotambkar added a commit to aws/aws-sdk-go-v2 that referenced this issue Dec 12, 2019
@skotambkar
Release v0.18.0 (2019-12-12) (#456)
b0e297c 
* Release v0.18.0 (2019-12-12)
===

Services
---
* Synced the V2 SDK with latest AWS service API definitions.

SDK Bugs
---
* `aws/endpoints`: aws/endpoints: Fix SDK resolving endpoint without region ([#420](#420))
  * Fixes the SDK's endpoint resolve incorrectly resolving endpoints for a service when the region is empty. Also fixes the SDK attempting to resolve a service when the service value is empty.
  * Related to [aws/aws-sdk-go#2909](aws/aws-sdk-go#2909)
@imvmi imvmi mentioned this issue May 19, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug.
Projects
None yet
Milestone
No milestone
3 participants
@jasdel @jrefior @jasonmf