s3manager: Signature errors when proxies don't respect `Range` headers

[gdavison]

Acknowledgements

• I have searched (https://github.com/aws/aws-sdk/issues?q=is%3Aissue) for past instances of this issue
• I have verified all of my SDK modules are up-to-date (you can perform a bulk update with go get -u github.com/aws/aws-sdk-go-v2/...)

Describe the bug

When used from behind a caching proxy, if the proxy is not configured to pass requests with a Range header unchanged, the AWS API returns signature errors. This appears to be because the Range header is included in the signed headers.

Expected Behavior

The expected behaviour is that the requests would succeed, either with parallel requests or with a fallback to requesting the full object.

Current Behavior

The requests fails with a SignatureDoesNotMatch error.

The request contains the header values:

• Authorization: AWS4-HMAC-SHA256 Credential=ASIA************VBYM/20231019/eu-west-1/s3/aws4_request, SignedHeaders=accept-encoding;amz-sdk-invocation-id;amz-sdk-request;host;range;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=*****
• Range: bytes=0-5242879

In the error response, the <CanonicalRequest>, however shows an empty range:, suggesting that the user's proxy remove the Range header.

Reproduction Steps

Use the S3 Download manager from behind a proxy, e.g. nginx, which strips the Range header from a request.

Possible Solution

Possible solutions are:

• Not include the Range header in the request signature
• Retrying a full GetObject request if the Ranged request fails with a signature error

Additional Information/Context

These are the errors reported to us:

• [Bug]: SignatureDoesNotMatch Error from aws_s3_object with v5.17.0 hashicorp/terraform-provider-aws#34351
• Terraform 1.6.x - SignatureDoesNotMatch Error - S3 Backend (GetObject) hashicorp/terraform#34136

AWS Go SDK V2 Module Versions Used

github.com/aws/aws-sdk-go-v2 v1.30.3
github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.8
github.com/aws/aws-sdk-go-v2/service/s3 v1.58.2

Compiler and Version used

go version go1.22.5 darwin/arm64

Operating System and version

macOS 13.6.7 (22G720)

[lucix-aws]

We call this out in the FAQ - proxies are known to cause issues with signature mismatch as they either add or remove headers.

This isn't behavior we can change by default. The user's only present recourse here is to control the proxy behavior to not modify the request.

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.