is the code using S3 support V4 signature

[abbform]

• I have seen https://docs.wire.com/ and https://github.com/wireapp/wire-server-deploy - the documentation there does not answer my question.

My question:

I tried to use S3 provided by AWS, I found the wire-server use the V2 signature and the s3 service we got only supports V4 signature.

Is there anything I could do to bypass the problem or some fixes? Will the newer version of wire will support the V4 signature?

[haskell-monad]

I have successfully debugged the v4 signature.

[maybeTomorrow]

i got error s3ErrorCode = "InvalidRequest", s3ErrorMessage = "The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256." by cargohold

[kvaps]

Hi, I also faced with such problem, more details in #1123
How can I switch cargohold to using V4 signature?

[kvaps]

s3SignVersion = S3SignV4 was introduced in aristidb/aws@fdfbb27

[maybeTomorrow]

cargohold packages.yaml - aws >=0.18 ,chang it >=0.19

[kvaps]

@maybeTomorrow, no way, it is still not working:

diff --git a/services/cargohold/package.yaml b/services/cargohold/package.yaml
index 3f4ffe45..ac5731f5 100644
--- a/services/cargohold/package.yaml
+++ b/services/cargohold/package.yaml
@@ -38,7 +38,7 @@ library:
   - base >=4 && <5
   - attoparsec >=0.12
   - auto-update >=0.1.4
-  - aws >=0.18
+  - aws >=0.19
   - byteable >=0.1
   - base16-bytestring >=0.1
   - cargohold-types >=0.5

logs:

1:E,7:request,1:=,32:947426644c7e22983e53351d1ceeda30,497:S3Error {s3StatusCode = Status {statusCode = 400, statusMessage = "Bad Request"}, s3ErrorCode = "InvalidRequest", s3ErrorMessage = "The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256.", s3ErrorResource = Nothing, s3ErrorHostId = Just "HtCiBgGAB80ghG7kGJhuJupx23blqb8W2g/gfmFJs02rZrX8siylcL5luUWMEiy+o4gQEwSXE9g=", s3ErrorAccessKeyId = Nothing, s3ErrorStringToSign = Nothing, s3ErrorBucket = Nothing, s3ErrorEndpointRaw = Nothing, s3ErrorEndpoint = Nothing},
1:E,7:request,1:=,32:947426644c7e22983e53351d1ceeda30,378:Error {code = Status {statusCode = 500, statusMessage = "Internal Server Error"}, label = "server-error", message = "\US\65533\b\NUL\NUL\NUL\NUL\NUL\EOT\ETX\65533VJ\65533OIU\65533\&250\65533Q\65533M-.NL\a\65533\65533\65533S\65533\65533R\65533\DC4\\\65533\65533\65533\65533\65533\65533t\65533r\DC2\65533Rs\65533\65533\65533`q\65533T\65533\65533R-\NULv,\65533\65533=\NUL\NUL\NUL"},

[mheinzel]

Hi, thanks for opening an issue.

If you are using our stack.yaml, it should already use an aws version based on 0.20.

However, our code in Cargohold doesn't make use of the v4 signature, which can be seen in CargoHold/App.hs.

We still use Aws.s3, not Aws.s3v4.

As far as I know we already use V4 signatures in the other services and I think this is something we can change here, too. We just have to do some testing against both S3 and Minio. I'll look into it!

[kvaps]

Thanks I just tried to recompile wire-server with:

diff --git a/services/cargohold/package.yaml b/services/cargohold/package.yaml
index 3f4ffe45..ac5731f5 100644
--- a/services/cargohold/package.yaml
+++ b/services/cargohold/package.yaml
@@ -38,7 +38,7 @@ library:
   - base >=4 && <5
   - attoparsec >=0.12
   - auto-update >=0.1.4
-  - aws >=0.18
+  - aws >=0.19
   - byteable >=0.1
   - base16-bytestring >=0.1
   - cargohold-types >=0.5
diff --git a/services/cargohold/src/CargoHold/App.hs b/services/cargohold/src/CargoHold/App.hs
index 9745abf0..397c5597 100644
--- a/services/cargohold/src/CargoHold/App.hs
+++ b/services/cargohold/src/CargoHold/App.hs
@@ -129,7 +129,8 @@ endpointToConfig :: AWSEndpoint -> Aws.S3Configuration qt
 endpointToConfig (AWSEndpoint host secure port) =
   (Aws.s3 (toProtocol secure) host False)
     { Aws.s3Port = port,
-      Aws.s3RequestStyle = Aws.PathStyle
+      Aws.s3RequestStyle = Aws.PathStyle,
+      Aws.s3SignVersion = Aws.S3SignV4 { _s3SignPayloadMode = Aws.SignWithEffort }
     }
   where
     toProtocol :: Bool -> Aws.Protocol

But now I see There were headers present in the request which were not signed errors:

1:E,7:request,1:=,32:b77e6d532db9204c07f897716908ad6c,378:Error {code = Status {statusCode = 500, statusMessage = "Internal Server Error"}, label = "server-error", message = "\US\65533\b\NUL\NUL\NUL\NUL\NUL\EOT\ETX\65533VJ\65533OIU\65533\&250\65533Q\65533M-.NL\a\65533\65533\65533S\65533\65533R\65533\DC4\\\65533\65533\65533\65533\65533\65533t\65533r\DC2\65533Rs\65533\65533\65533`q\65533T\65533\65533R-\NULv,\65533\65533=\NUL\NUL\NUL"},
1:E,7:request,1:=,32:82e45da81482eeb7d3f4457804bb5216,464:S3Error {s3StatusCode = Status {statusCode = 403, statusMessage = "Forbidden"}, s3ErrorCode = "AccessDenied", s3ErrorMessage = "There were headers present in the request which were not signed", s3ErrorResource = Nothing, s3ErrorHostId = Just "Q4fnymYT+wDHoVyXWaOupOSVdHa9es/Sd8tpQ55p1kSDKheT+q7putVFBuiIumHiIpZVDpNcVy4=", s3ErrorAccessKeyId = Nothing, s3ErrorStringToSign = Nothing, s3ErrorBucket = Nothing, s3ErrorEndpointRaw = Nothing, s3ErrorEndpoint = Nothing},
1:E,7:request,1:=,32:82e45da81482eeb7d3f4457804bb5216,378:Error {code = Status {statusCode = 500, statusMessage = "Internal Server Error"}, label = "server-error", message = "\US\65533\b\NUL\NUL\NUL\NUL\NUL\EOT\ETX\65533VJ\65533OIU\65533\&250\65533Q\65533M-.NL\a\65533\65533\65533S\65533\65533R\65533\DC4\\\65533\65533\65533\65533\65533\65533t\65533r\DC2\65533Rs\65533\65533\65533`q\65533T\65533\65533R-\NULv,\65533\65533=\NUL\NUL\NUL"},
1:E,7:request,1:=,32:1a47addb74681f069022c406642701b9,464:S3Error {s3StatusCode = Status {statusCode = 403, statusMessage = "Forbidden"}, s3ErrorCode = "AccessDenied", s3ErrorMessage = "There were headers present in the request which were not signed", s3ErrorResource = Nothing, s3ErrorHostId = Just "CTHZzi0vVRmigxIWYNsCQcgWD94Fl88Li+A667eMVpUMZcwNUNIShOILoLgzn535FFI8FFWa2/Q=", s3ErrorAccessKeyId = Nothing, s3ErrorStringToSign = Nothing, s3ErrorBucket = Nothing, s3ErrorEndpointRaw = Nothing, s3ErrorEndpoint = Nothing},
1:E,7:request,1:=,32:1a47addb74681f069022c406642701b9,378:Error {code = Status {statusCode = 500, statusMessage = "Internal Server Error"}, label = "server-error", message = "\US\65533\b\NUL\NUL\NUL\NUL\NUL\EOT\ETX\65533VJ\65533OIU\65533\&250\65533Q\65533M-.NL\a\65533\65533\65533S\65533\65533R\65533\DC4\\\65533\65533\65533\65533\65533\65533t\65533r\DC2\65533Rs\65533\65533\65533`q\65533T\65533\65533R-\NULv,\65533\65533=\NUL\NUL\NUL"},
1:E,7:request,1:=,32:99a3857aa5c32e67eb86850cc90afac9,464:S3Error {s3StatusCode = Status {statusCode = 403, statusMessage = "Forbidden"}, s3ErrorCode = "AccessDenied", s3ErrorMessage = "There were headers present in the request which were not signed", s3ErrorResource = Nothing, s3ErrorHostId = Just "4a+Kl5bL6mj52NTMt7qXijgFv+sNLRTMoqtyQbW1rCft+rOTk7RJaUPSvo5r7yoeOoGfUItfbTs=", s3ErrorAccessKeyId = Nothing, s3ErrorStringToSign = Nothing, s3ErrorBucket = Nothing, s3ErrorEndpointRaw = Nothing, s3ErrorEndpoint = Nothing},
1:E,7:request,1:=,32:99a3857aa5c32e67eb86850cc90afac9,378:Error {code = Status {statusCode = 500, statusMessage = "Internal Server Error"}, label = "server-error", message = "\US\65533\b\NUL\NUL\NUL\NUL\NUL\EOT\ETX\65533VJ\65533OIU\65533\&250\65533Q\65533M-.NL\a\65533\65533\65533S\65533\65533R\65533\DC4\\\65533\65533\65533\65533\65533\65533t\65533r\DC2\65533Rs\65533\65533\65533`q\65533T\65533\65533R-\NULv,\65533\65533=\NUL\NUL\NUL"},
1:E,7:request,1:=,32:b236af4a209c5266ad67fe4b2da885d8,464:S3Error {s3StatusCode = Status {statusCode = 403, statusMessage = "Forbidden"}, s3ErrorCode = "AccessDenied", s3ErrorMessage = "There were headers present in the request which were not signed", s3ErrorResource = Nothing, s3ErrorHostId = Just "yTOD7cWayNwWFyCOt03McZnblD9rAqLigSxAQRAnHNt+hQaDK0dHplQck0/nJ4abROOF2FXtFB4=", s3ErrorAccessKeyId = Nothing, s3ErrorStringToSign = Nothing, s3ErrorBucket = Nothing, s3ErrorEndpointRaw = Nothing, s3ErrorEndpoint = Nothing},
1:E,7:request,1:=,32:b236af4a209c5266ad67fe4b2da885d8,378:Error {code = Status {statusCode = 500, statusMessage = "Internal Server Error"}, label = "server-error", message = "\US\65533\b\NUL\NUL\NUL\NUL\NUL\EOT\ETX\65533VJ\65533OIU\65533\&250\65533Q\65533M-.NL\a\65533\65533\65533S\65533\65533R\65533\DC4\\\65533\65533\65533\65533\65533\65533t\65533r\DC2\65533Rs\65533\65533\65533`q\65533T\65533\65533R-\NULv,\65533\65533=\NUL\NUL\NUL"},
1:E,7:request,1:=,32:2e093d625399c629a8c535140997177b,464:S3Error {s3StatusCode = Status {statusCode = 403, statusMessage = "Forbidden"}, s3ErrorCode = "AccessDenied", s3ErrorMessage = "There were headers present in the request which were not signed", s3ErrorResource = Nothing, s3ErrorHostId = Just "xnDJ5WgY1wSEjYQidE3a1wa1NedJiCPmqN1Jl1jNAvKiEhSPPBo0j7t9PyGaWyrYrGdmgpFKBUA=", s3ErrorAccessKeyId = Nothing, s3ErrorStringToSign = Nothing, s3ErrorBucket = Nothing, s3ErrorEndpointRaw = Nothing, s3ErrorEndpoint = Nothing},
1:E,7:request,1:=,32:2e093d625399c629a8c535140997177b,378:Error {code = Status {statusCode = 500, statusMessage = "Internal Server Error"}, label = "server-error", message = "\US\65533\b\NUL\NUL\NUL\NUL\NUL\EOT\ETX\65533VJ\65533OIU\65533\&250\65533Q\65533M-.NL\a\65533\65533\65533S\65533\65533R\65533\DC4\\\65533\65533\65533\65533\65533\65533t\65533r\DC2\65533Rs\65533\65533\65533`q\65533T\65533\65533R-\NULv,\65533\65533=\NUL\NUL\NUL"},
1:E,7:request,1:=,32:75ad313a87e6d946031c1acbc5c35faa,464:S3Error {s3StatusCode = Status {statusCode = 403, statusMessage = "Forbidden"}, s3ErrorCode = "AccessDenied", s3ErrorMessage = "There were headers present in the request which were not signed", s3ErrorResource = Nothing, s3ErrorHostId = Just "FW/ocv+BEFL7Wj4COpf3JI1TgW7Hvw6B9tgIcasjQ/OIkd74qe0Nw47bs1YIJRovAxtzpWFkL+o=", s3ErrorAccessKeyId = Nothing, s3ErrorStringToSign = Nothing, s3ErrorBucket = Nothing, s3ErrorEndpointRaw = Nothing, s3ErrorEndpoint = Nothing},
1:E,7:request,1:=,32:75ad313a87e6d946031c1acbc5c35faa,378:Error {code = Status {statusCode = 500, statusMessage = "Internal Server Error"}, label = "server-error", message = "\US\65533\b\NUL\NUL\NUL\NUL\NUL\EOT\ETX\65533VJ\65533OIU\65533\&250\65533Q\65533M-.NL\a\65533\65533\65533S\65533\65533R\65533\DC4\\\65533\65533\65533\65533\65533\65533t\65533r\DC2\65533Rs\65533\65533\65533`q\65533T\65533\65533R-\NULv,\65533\65533=\NUL\NUL\NUL"},

[maybeTomorrow]

Original Plan – Support for SigV2 ends on June 24, 2019.

Revised Plan – Any new buckets created after June 24, 2020 will not support SigV2 signed requests, although existing buckets will continue to support SigV2 while we work with customers to move off this older request signing method. i think we should update to v4 @mheinzel

[mheinzel]

Thanks @maybeTomorrow, we bumped the priority of this to get it done in time.

@kvaps, this issue seems related, we'll investigate.

[maybeTomorrow]

endpointToConfig (AWSEndpoint host secure port) =
(Aws.s3v4 (toProtocol secure) host False Aws.SignWithEffort)
{ Aws.s3Port = port,
Aws.s3RequestStyle = Aws.PathStyle
}
@kvaps

[kvaps]

@maybeTomorrow I was able rebuild cargohold to make uploads working, but downloads still don't:

cargohold logs are clean

nginz log:

10.0.5.11 - "04/Jun/2020:09:54:19 +0000" "GET /assets/v3/3-2-ef09b148-76ec-4db2-b8bd-14ce7d1f420c?access_token=****&asset_token=hAG7Fmvz02jDllnUMjJ0CQ%3D%3D&forceCaching=true HTTP/1.1" 302 31 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 10.0.5.11 119908 0.038 0.040 - 13502043-5080-4800-a378-aa6b5b17f294 11787582289540645867 08da5a49ae9d223bcd17219fc0179b07 
10.0.5.11 - "04/Jun/2020:09:57:20 +0000" "GET /assets/v3/3-2-ef09b148-76ec-4db2-b8bd-14ce7d1f420c?access_token=****&asset_token=hAG7Fmvz02jDllnUMjJ0CQ%3D%3D&forceCaching=true HTTP/1.1" 302 31 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36" 10.0.5.11 119968 0.032 0.032 - 13502043-5080-4800-a378-aa6b5b17f294 11787582289540645867 a2443d9c6cd37d632a002cdfd00ae34f 

response:

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><AWSAccessKeyId>AKIARVXF5BFS6KZEMRFD</AWSAccessKeyId><StringToSign>AWS4-HMAC-SHA256
20200604T095720Z
20200604/eu-central-1/s3/aws4_request
9d4c2ada616a21c82f7bc26689fc52ac2b8b40883b35d4a0df08c432622ed3f8</StringToSign><SignatureProvided>21f7235bc8cae2f06825d095deff9b11f34fc709a6b783bd1ce84478694f2ae0</SignatureProvided><StringToSignBytes>41 57 53 34 2d 48 4d 41 43 2d 53 48 41 32 35 36 0a 32 30 32 30 30 36 30 34 54 30 39 35 37 32 30 5a 0a 32 30 32 30 30 36 30 34 2f 65 75 2d 63 65 6e 74 72 61 6c 2d 31 2f 73 33 2f 61 77 73 34 5f 72 65 71 75 65 73 74 0a 39 64 34 63 32 61 64 61 36 31 36 61 32 31 63 38 32 66 37 62 63 32 36 36 38 39 66 63 35 32 61 63 32 62 38 62 34 30 38 38 33 62 33 35 64 34 61 30 64 66 30 38 63 34 33 32 36 32 32 65 64 33 66 38</StringToSignBytes><CanonicalRequest>GET
/omegaim-test/v3/persistent/ef09b148-76ec-4db2-b8bd-14ce7d1f420c
X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Credential=AKIARVXF5BFS6KZEMRFD%2F20200604%2Feu-central-1%2Fs3%2Faws4_request&amp;X-Amz-Date=20200604T095720Z&amp;X-Amz-Expires=300&amp;X-Amz-SignedHeaders=host%3Bx-amz-content-sha256%3Bx-amz-date
host:s3.eu-central-1.amazonaws.com
x-amz-content-sha256:
x-amz-date:

host;x-amz-content-sha256;x-amz-date
UNSIGNED-PAYLOAD</CanonicalRequest><CanonicalRequestBytes>47 45 54 0a 2f 6f 6d 65 67 61 69 6d 2d 74 65 73 74 2f 76 33 2f 70 65 72 73 69 73 74 65 6e 74 2f 65 66 30 39 62 31 34 38 2d 37 36 65 63 2d 34 64 62 32 2d 62 38 62 64 2d 31 34 63 65 37 64 31 66 34 32 30 63 0a 58 2d 41 6d 7a 2d 41 6c 67 6f 72 69 74 68 6d 3d 41 57 53 34 2d 48 4d 41 43 2d 53 48 41 32 35 36 26 58 2d 41 6d 7a 2d 43 72 65 64 65 6e 74 69 61 6c 3d 41 4b 49 41 52 56 58 46 35 42 46 53 36 4b 5a 45 4d 52 46 44 25 32 46 32 30 32 30 30 36 30 34 25 32 46 65 75 2d 63 65 6e 74 72 61 6c 2d 31 25 32 46 73 33 25 32 46 61 77 73 34 5f 72 65 71 75 65 73 74 26 58 2d 41 6d 7a 2d 44 61 74 65 3d 32 30 32 30 30 36 30 34 54 30 39 35 37 32 30 5a 26 58 2d 41 6d 7a 2d 45 78 70 69 72 65 73 3d 33 30 30 26 58 2d 41 6d 7a 2d 53 69 67 6e 65 64 48 65 61 64 65 72 73 3d 68 6f 73 74 25 33 42 78 2d 61 6d 7a 2d 63 6f 6e 74 65 6e 74 2d 73 68 61 32 35 36 25 33 42 78 2d 61 6d 7a 2d 64 61 74 65 0a 68 6f 73 74 3a 73 33 2e 65 75 2d 63 65 6e 74 72 61 6c 2d 31 2e 61 6d 61 7a 6f 6e 61 77 73 2e 63 6f 6d 0a 78 2d 61 6d 7a 2d 63 6f 6e 74 65 6e 74 2d 73 68 61 32 35 36 3a 0a 78 2d 61 6d 7a 2d 64 61 74 65 3a 0a 0a 68 6f 73 74 3b 78 2d 61 6d 7a 2d 63 6f 6e 74 65 6e 74 2d 73 68 61 32 35 36 3b 78 2d 61 6d 7a 2d 64 61 74 65 0a 55 4e 53 49 47 4e 45 44 2d 50 41 59 4c 4f 41 44</CanonicalRequestBytes><RequestId>227AC48D01B45631</RequestId><HostId>fYKmauvsU6gQzD7fWZmHu6Sfye7me3izRYolR2Qr9Jn/Mpn6QmQv5fyL3yGei3LCl26m5KMuwwo=</HostId></Error>

my modifications:

diff --git a/services/cargohold/package.yaml b/services/cargohold/package.yaml
index 3f4ffe45..ac5731f5 100644
--- a/services/cargohold/package.yaml
+++ b/services/cargohold/package.yaml
@@ -38,7 +38,7 @@ library:
   - base >=4 && <5
   - attoparsec >=0.12
   - auto-update >=0.1.4
-  - aws >=0.18
+  - aws >=0.19
   - byteable >=0.1
   - base16-bytestring >=0.1
   - cargohold-types >=0.5
diff --git a/services/cargohold/src/CargoHold/App.hs b/services/cargohold/src/CargoHold/App.hs
index 9745abf0..8a5b84d8 100644
--- a/services/cargohold/src/CargoHold/App.hs
+++ b/services/cargohold/src/CargoHold/App.hs
@@ -127,7 +127,7 @@ initAws o l m = do
 
 endpointToConfig :: AWSEndpoint -> Aws.S3Configuration qt
 endpointToConfig (AWSEndpoint host secure port) =
-  (Aws.s3 (toProtocol secure) host False)
+  (Aws.s3v4 (toProtocol secure) host False Aws.SignWithEffort)
     { Aws.s3Port = port,
       Aws.s3RequestStyle = Aws.PathStyle
     }
diff --git a/services/cargohold/src/CargoHold/S3.hs b/services/cargohold/src/CargoHold/S3.hs
index bdbcba4c..a2a27306 100644
--- a/services/cargohold/src/CargoHold/S3.hs
+++ b/services/cargohold/src/CargoHold/S3.hs
@@ -111,7 +111,7 @@ uploadV3 ::
   Maybe V3.AssetToken ->
   ConduitM () ByteString IO () ->
   ExceptT Error App ()
-uploadV3 prc (s3Key . mkKey -> key) (V3.AssetHeaders ct cl md5) tok src = do
+uploadV3 prc (s3Key . mkKey -> key) (V3.AssetHeaders ct cl _) tok src = do
   Log.debug $
     "remote" .= val "S3"
       ~~ "asset.owner" .= toByteString prc
@@ -123,7 +123,7 @@ uploadV3 prc (s3Key . mkKey -> key) (V3.AssetHeaders ct cl md5) tok src = do
   let body = requestBodySource (fromIntegral cl) src
   void . tryS3 . exec $
     (putObject b key body)
-      { poContentMD5 = Just md5,
+      { poContentMD5 = Nothing,
         poContentType = Just (encodeMIMEType ct),
         poExpect100Continue = True,
         poMetadata =

[maybeTomorrow]

i test a demo code and success upload file 。
Just creds <- Aws.loadCredentialsFromEnv
let cfg = Aws.Configuration Aws.Timestamp creds (Aws.defaultLog Aws.Debug) Nothing

let s3cfg = S3.s3v4 Aws.HTTPS (TE.encodeUtf8 (T.pack "s3.ap-east-1.amazonaws.com") ) False S3.SignWithEffort

{- Set up a ResourceT region with an available HTTP manager. -}
mgr <- newManager tlsManagerSettings
runResourceT $ do
  let file ="etst.jpg"
  -- streams large file content, without buffering more than 10k in memory
  let streamer sink = withFile file ReadMode $ \h -> sink $ S.hGet h 10240
  b <- liftIO $ L.readFile file
  size <- liftIO $ (fromIntegral . fileSize <$> getFileStatus file :: IO Integer)
  let body = RequestBodyStream (fromInteger size) streamer
  rsp <- Aws.pureAws cfg s3cfg mgr $
      (S3.putObject (T.pack "wirebu") (T.pack file) body)
      { 
          S3.poMetadata =
          [ (T.pack "mediatype",  T.pack "texts")
          , (T.pack "meta-description", T.pack "test Internet Archive item made via haskell aws library")
          ]
      -- Automatically creates bucket on IA if it does not exist,
      -- and uses the above metadata as the bucket's metadata.
      , S3.poAutoMakeBucket = True
      }
  liftIO $ print rsp

[maybeTomorrow]

@kvaps comment this line:
-- Aws.s3RequestStyle = Aws.PathStyle
and i got success Status {statusCode = 200, statusMessage = "OK"}

but the link to get the image doesn't work.it return SignatureDoesNotMatch;
we need change getObject to v4sign!

[maybeTomorrow]

aristidb/aws#262

[maybeTomorrow]

signedURL path = do
e <- view aws

b <- s3Bucket <$> view aws
cfg' <- liftIO $ Aws.getConfig (awsEnv e)
ttl <- view (settings . setDownloadLinkTTL)
let cfg = cfg' {Aws.timeInfo = Aws.ExpiresIn (fromIntegral ttl)}
uri <-
liftIO $ Aws.awsUri cfg (s3UriOnly e){s3UseUri=True} $ -- add this
getObject b (Text.decodeLatin1 $ toByteString' path)
return =<< toUri uri

[mheinzel]

@maybeTomorrow @kvaps Do you want to give the branch mheinzel/cargohold-use-amazonka a try to see if it solves the problem for you? (see PR #1157)

[kvaps]

Sorry I swap project to google cloud, and I have no opportunity to check V4 signing anymore :/