Amazon S3 connect error , 403 error number

I am trying to build pro server with Amazon S3 as back-end storage, unfortunately, I met a wild error like this,
…/common/obj-backend-s3.c(341): Put object ad7c708de997d0681b6923221fd91746521c0986 error 403. Response:

<?xml version="1.0" encoding="UTF-8"?>

SignatureDoesNotMatchThe request signature we calculated does not match the signature you provided. Check your key and signing method.xxxxxxxxxxxAWS4-HMAC-SHA256

my configure items in conf/seafile.con like below,
[commit_object_backend]
name = s3
bucket = seafile-commit
key_id = xxxxxx
key = xxxxxxxxxx
path_style_request = true
host = s3.cn-north-1.amazonaws.com.cn
use_v4_signature = true
aws_region = cn-north-1
use_https = true
[fs_object_backend]
same with commit-object-backend expect bucketname
[block_backend]
same with commit-object-backend expect bucketname

And the Access Key ID and Secure Key ID are available to connect
S3 via pytho2.7.5 n with boto component.
but seafile prompts this error msg while starting up sealfie.sh.

Is there any clues can be shared with me to resolve it, extremely expecting for your support, :slight_smile:

We haven’t tested S3 support in the cn region yet. But it should work. You can try removing this configuration:

This configuration cannot be used with S3 provided by AWS. It’s only for other S3-compatible storage systems like OpenStack Swift.

I get the same error. While being able to use the key in S3Browser for example this prooves there’s something wrong:

[block_backend]
name = s3
bucket = seafile-cha-block
key_id=KEY
key=SECRET
memcached_options = --SERVER=localhost --POOL-MIN=10 --POOL-MAX=100
use_https = true
aws_region = eu-central-1
use_v4_signature = true

I use frankfurt region.

Which version do you use? The issue with cn-north-1 region is due to the use of ‘host’ option. This triggers a bug in our software to calculate the signature with a wrong S3 host name. This has been fixed. But since you don’t set ‘host’ option, I don’t know why it doesn’t work for you.

I tried with various mix-match of no aws_region, no use_https and no use_v4_signature nothing seems to work. Could it be that frankfurt remains unsupported or changed something? I would really love for this to work. Do you happen to know a well-tested region with some confirmed settings?

Have you tried to add the ‘host’ option to your config file?

I can’t remember to be honest. But my guess is that I tried I have a slight memory of looking in the log for the hostname for that reason. But I can try again. If you have any other guess as to why this might be needed or other things to try please advice :slight_smile:

You can try with the following config:

[block_backend]
name = s3
bucket = seafile-cha-block
host = s3.eu-central-1.amazonaws.com
key_id=KEY
key=SECRET
memcached_options = --SERVER=localhost --POOL-MIN=10 --POOL-MAX=100
use_https = true
aws_region = eu-central-1
use_v4_signature = true

Taking the settings from Jonathan on Jan 12th 2017, I still get the 403 error at Frankfurt.

[03/27/2018 09:34:59 PM] ../common/s3-client.c(714): S3 error status for PUT: 403.
[03/27/2018 09:34:59 PM] ../common/s3-client.c(715): Request URL: https://my-bucket-name.s3.eu-central-1.amazonaws.com/bc5b16c0-80fc-468a-8ec6-ea5c747b5794/cd738814d5b80d7f19e22ef677e237fc72fa0a8a
[03/27/2018 09:34:59 PM] ../common/s3-client.c(716): Request headers:
[03/27/2018 09:34:59 PM] ../common/s3-client.c(615): Date: Tue, 27 Mar 2018 19:34:59 +0000
[03/27/2018 09:34:59 PM] ../common/s3-client.c(615): Authorization: AWS4-HMAC-SHA256 Credential=MYACCESSKEY/20180327/eu-central-1/s3/aws4_request,SignedHeaders=host;x-amz-content-sha256,Signature=810c4f3cf726f775833c755f78de3189e5763874a8ecdfa645161a422e5aabd0
[03/27/2018 09:34:59 PM] ../common/s3-client.c(615): x-amz-content-sha256: e392ec68a7a01e6a28006bf926149e0adc38c5cfea64e3731b8dbae80026ea9a
[03/27/2018 09:34:59 PM] ../common/obj-backend-s3.c(348): Put object cd738814d5b80d7f19e22ef677e237fc72fa0a8a error 403. Response:
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><AWSAccessKeyId>MYACCESSKEY</AWSAccessKeyId><StringToSign>AWS4-HMAC-SHA256
Tue, 27 Mar 2018 19:34:59 +0000
20180327/eu-central-1/s3/aws4_request
01a2621b3931f7341938a0faef72b58aa4ae460f3a3658e9ae9f4b73c365ab5d</StringToSign>

It is not an AWS IAM user permission issue as I granted the IAM user administrator permission and the same credential worked well with awscli. I tried to use AWS SDK to produce the signature for the same request, the signature differed from the one in the log file.

Is there any clue for further troubleshooting?

We’ll test in Frankfurt region.

Has anyone had anyluck with this issue? Same thing happening to me with us-east-2 (ohio)

  • Thanks

Still facing this issue with the Frankfurt region, seems to be related to v4 signatures

You can try the latest 6.3 version. The problem should have been fixed. Note that you should use the host option in seafile.conf.