New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to fetch bundles: S3 returns 501 Not Implemented #5472
Comments
Hi @Hiieu 👋 And thanks for reporting this! I wonder if it could be related to the work that went into AWS v4 signing for the http.send built-in function. While they're obviously different things, I think some work was made to have them share code between them. Either way, we'll look into it. |
https://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html#ErrorCodeList So maybe comparing headers with before/after is a way to start here |
This commit refactors the shared AWS Sig v4 signing code, specifically to prevent the issue behind open-policy-agent#5472. The underlying problem for open-policy-agent#5472 was that the `"Authorization"` header was being appended *twice* to the request, but only for the AWS REST plugin, because the value was pulled twice from the signed headers map. This was not caught by the unit tests, because the REST plugin's unit tests all assumed the header was single-valued and canonicalized. We now explicitly test for that condition in the unit tests, and the signing code now returns the AWS headers map separately from the value for the `"Authorization"` header, reducing the potential for this mistake to happen in the future. Fixes: open-policy-agent#5472 Signed-off-by: Philip Conrad <philipaconrad@gmail.com>
…5475) This commit refactors the shared AWS Sig v4 signing code, specifically to prevent the issue behind #5472. The underlying problem for was that the `"Authorization"` header was being appended *twice* to the request, but only for the AWS REST plugin, because the value was pulled twice from the signed headers map. This was not caught by the unit tests, because the REST plugin's unit tests all assumed the header was single-valued and canonicalized. We now explicitly test for that condition in the unit tests, and the signing code now returns the AWS headers map separately from the value for the `"Authorization"` header, reducing the potential for this mistake to happen in the future. Fixes: #5472 Signed-off-by: Philip Conrad <philipaconrad@gmail.com>
…pen-policy-agent#5475) This commit refactors the shared AWS Sig v4 signing code, specifically to prevent the issue behind open-policy-agent#5472. The underlying problem for was that the `"Authorization"` header was being appended *twice* to the request, but only for the AWS REST plugin, because the value was pulled twice from the signed headers map. This was not caught by the unit tests, because the REST plugin's unit tests all assumed the header was single-valued and canonicalized. We now explicitly test for that condition in the unit tests, and the signing code now returns the AWS headers map separately from the value for the `"Authorization"` header, reducing the potential for this mistake to happen in the future. Fixes: open-policy-agent#5472 Signed-off-by: Philip Conrad <philipaconrad@gmail.com> (cherry picked from commit 1d1cb35)
…5475) This commit refactors the shared AWS Sig v4 signing code, specifically to prevent the issue behind #5472. The underlying problem for was that the `"Authorization"` header was being appended *twice* to the request, but only for the AWS REST plugin, because the value was pulled twice from the signed headers map. This was not caught by the unit tests, because the REST plugin's unit tests all assumed the header was single-valued and canonicalized. We now explicitly test for that condition in the unit tests, and the signing code now returns the AWS headers map separately from the value for the `"Authorization"` header, reducing the potential for this mistake to happen in the future. Fixes: #5472 Signed-off-by: Philip Conrad <philipaconrad@gmail.com> (cherry picked from commit 1d1cb35)
Hi there 👋,
I wonder if anyone has a similar issue after upgrading OPA (running on ECS) to
v0.47.0
:the application no longer can fetch bundles from S3.
The S3 service sends back an HTTP 501 code:
501 Not Implemented
Short description
After upgrading OPA from
v0.46.0
tov0.47.0
and without changing any configurations, the application cannot fetch bundles from the S3 bucket.We haven't noticed any changes in the GET requests to S3, but for some reason, this error is only returned in v0.47.X. After downgrading the version to 0.46.X OPA is able to fetch bundles without any issues.
Version: v0.47.0
Where OPA is deployed: AWS ECS
OPA config file:
Command:
Steps To Reproduce
Expected behavior
OPA should be able to fetch bundles from S3 buckets without any issues.
Additional context
Logs from Cloudwatch:
The text was updated successfully, but these errors were encountered: