IAM doesn't support v4 signatures (china, frankfurt) about yum-s3-iam HOT 38 CLOSED

Curious if this is in the pipeline. I'm facing the same issue in a region that only supports signature version 4. Duplicated lobida's issue in the frankfurt region.

from yum-s3-iam.

The good thing is that according to this once we have v4 signature working it would work everywhere.

from yum-s3-iam.

I actually have this working. I just want to double check with work and confirm it is not an issue for me to contribute the code back. CYA or CMA in this case.

from yum-s3-iam.

I'm excited to see your changes, I poked around for a little, but couldn't get it working!

from yum-s3-iam.

@asedge: Wonderful. I've mostly been looking at the problem, nothing working right now. Wether or not you can contribute the code, let me know how you want to proceed.

from yum-s3-iam.

@lobida and @Cinderhaze (or anyone else interested) could you test the v4_signature branch?

You need to add to the .repo file the following lines (where <region> is the bucket region):

region=<region>
v4_signature=1

from yum-s3-iam.

I guess you couldn't wait. I posed the question at work but got no immediate response yesterday.

Anyway, I don't think there's a compelling reason to keep SigV2 support. Every region supports SigV4 from what I understand and new regions only support V4.

from yum-s3-iam.

I'm still keeping the V2 code while we test. Depending on the results and the feedback, we'll see if we leave V2 as an option or remove it completely. But I agree with you the best solution is to get rid of V2.

from yum-s3-iam.

I was just skimming over the code, didn't get a chance to test yet.. Shouldn't the last line (235) have 't' being passed to it?

@@ -222,11 +227,12 @@ def urlread(self, url, limit=None, **kwargs):
229 - date = time.strftime("%a, %d %b %Y %H:%M:%S GMT", timeval or time.gmtime())
234 + t = timeval or time.gmtime()
235 + date = time.strftime("%a, %d %b %Y %H:%M:%S GMT", )

from yum-s3-iam.

@Cinderhaze nice catch. I fixed that in [aad51da].

from yum-s3-iam.

I was trying to test it out on EU - frankfurt.

I have my project from when I was testing out the repo earlier...

https://github.com/Cinderhaze/s3-repo-sandbox
I did the following...

• pre-populated the repo
• created an ec2 in the Frankfurt region
• installed git
• cloned my repo
• ran my init script, which installs puppet and pulls down the vcsrepo puppet module, and moves all of the existing yum repos out into /tmp/
• used puppet apply to run my .pp file

Here is the output from the repo I created

[ec2-user@ip-x-x-x-x yum-s3-iam]$ cat /etc/yum.repos.d/s3-iam.repo 
[s3-iam]
name=S3 iam - Testing - $basearch - Source
baseurl=http://dawiest-repo.s3.amazonaws.com/noarch
enabled=1
gpgcheck=0
s3_enabled=true
region=EU
v4_signature=1

Here is what I have in my s3 repo.

[ec2-user@ip-x-x-x-x yum-s3-iam]$ aws --region=eu-central-1 s3 ls s3://dawiest-repo --recursive
2015-11-06 01:26:52      14540 noarch/epel-release-6-8.noarch.rpm
2015-11-06 01:26:53        377 noarch/repodata/filelists.xml.gz
2015-11-06 01:26:53        921 noarch/repodata/other.xml.gz
2015-11-06 01:26:53        929 noarch/repodata/primary.xml.gz
2015-11-06 01:26:54        951 noarch/repodata/repomd.xml

Here is my attempt to search my repo.

[ec2-user@ip-x-x-x-x yum-s3-iam]$ yum search epel
Loaded plugins: priorities, s3iam, update-motd, upgrade-helper
...
failure: repodata/repomd.xml from s3-iam: [Errno 14] HTTP Error 400: Bad Request on repodata/repomd.xml

I replaced region=EU with region=eu-central-1, and got the following output

[ec2-user@x-x-x-x yum-s3-iam]$ yum search epel
Loaded plugins: priorities, s3iam, update-motd, upgrade-helper
...
failure: repodata/repomd.xml from s3-iam: [Errno 14] HTTP Error 403: Forbidden on repodata/repomd.xml

from yum-s3-iam.

Do you have an instance role set up to give you access to the S3 bucket?

from yum-s3-iam.

Yep, because I could do my aws ls command to print it's contents...
It contains AmazonS3FullAccess and AmazonS3ReadOnlyAccess

[ec2-user@ip-x-x-x-x yum-s3-iam]$ aws --region=eu-central-1 s3 ls s3://dawiest-repo --recursive
2015-11-06 01:26:52 14540 noarch/epel-release-6-8.noarch.rpm
2015-11-06 01:26:53 377 noarch/repodata/filelists.xml.gz
2015-11-06 01:26:53 921 noarch/repodata/other.xml.gz
2015-11-06 01:26:53 929 noarch/repodata/primary.xml.gz
2015-11-06 01:26:54 951 noarch/repodata/repomd.xml

from yum-s3-iam.

Could you try with:

baseurl=https://dawiest-repo.s3-eu-central-1.amazonaws.com/noarch

from yum-s3-iam.

in addition to the other two values? Should I use region=EU or region=eu-central-1?

from yum-s3-iam.

region=eu-central-1

from yum-s3-iam.

Same.

[ec2-user@ip-172-31-15-215 yum-s3-iam]$ yum search epel
Loaded plugins: priorities, s3iam, update-motd, upgrade-helper
...

failure: repodata/repomd.xml from s3-iam: [Errno 14] HTTP Error 403: Forbidden on >repodata/repomd.xml

[ec2-user@ip-x-x-x-x yum-s3-iam]$ cat /etc/yum.repos.d/s3-iam.repo
[s3-iam]
name=S3 iam - Testing - $basearch - Source
baseurl=http://dawiest-repo.s3-eu-central-1.amazonaws.com/noarch
enabled=1
gpgcheck=0
s3_enabled=true
region=eu-central-1
v4_signature=1

from yum-s3-iam.

s3.amazonaws.com is the endpoint for S3 buckets in us-east-1 region (USA North Virginia).

Also for everything with credentials, I prefer using https://

from yum-s3-iam.

I switched from http to https, same result.

I thought s3.amazonaws.com was the 'everything' url, and you used the region specific ones for more specificity..

from yum-s3-iam.

Ok thank you.

I'll try creating an instance and a bucket in eu-central-1 tonight to see if I can reproduce.

from yum-s3-iam.

I'm not sure if you can send a direct message on github.. If you give me your public key, I can add it to the ec2 user on the instance and somehow send you the ec2 public address

from yum-s3-iam.

We'll do that later, after I make my own tests. Thank you again.

from yum-s3-iam.

I've reproduce the error (on eu-central-1), and found an error I introduced when doing the commit.

It worked for me with this new commit.

from yum-s3-iam.

Pulled down your most recent change, and I report success!

[ec2-user@ip-x-x-x-x yum-s3-iam]$ yum search epel
Loaded plugins: priorities, s3iam, update-motd, upgrade-helper
s3-iam 1/1
============================== N/S matched: epel ===============================
epel-release.noarch : Extra Packages for Enterprise Linux repository
: configuration

Name and summary matches only, use "search all" for everything.

from yum-s3-iam.

@Cinderhaze: thanks for testing.

@asedge. I think the next step is linked with #30. We need to decide on the URL syntaxes we want to support, because if the region is contained in the URL we wouldn't need the region setting.

from yum-s3-iam.

1. {scheme}://{bucket}.{s3_endpoint}/{path}
2. {scheme}://{s3_endpoint}/{bucket}/{path}
3. s3://{bucket}/{path}

Where:

• {scheme}: http, https or s3.
  • If {scheme} is http or https, s3_enabled=1 is needed.
  • If {scheme} is s3, for case (3), region={region} is needed, unless we implement some form of detection (either query the bucket, or assume from the instance's placement).
• {bucket}: bucket name (if it contains dots some extra care might be needed)
• {s3_endpoint}: s3 endpoint with region, typically s3-{region}.amazonaws.com (special case for us-east-1)
• {path}: path in bucket to repo

Once we get all the information, I would be tempted to use (except maybe http when http is requested):
https://s3-{region}.amazonaws.com/{bucket}/{path}

from yum-s3-iam.

@mbrossard I pushed a commit to your branch that will grab the region from the metadata service if it wasn't specified in the config file. It's very similar to get_credentials().

@Cinderhaze Could I trouble you to try it out?

from yum-s3-iam.

@mbrossard - It would be nice to have the information inferred from the url, because the other additional fields aren't a part of the puppet 'Yumrepo' resource, so I have to manage the file directly with puppet instead of just using the built in resource type

@asedge - I'll try to get to it tonight!

from yum-s3-iam.

@Cinderhaze: that's a really good point. The syntax s3://s3-{region}.amazonaws.com/{bucket}/{path} would allow that.

(The syntax s3://{bucket}.s3-{region}.amazonaws.com/{path} would also work, but {bucket} values with dots need to switch url format to avoid issues with https)

from yum-s3-iam.

@Cinderhaze Thanks! We would just need to submit a PR that was something like this (puppetlabs/puppet@cd9135f) to add new params to the yumrepo resource in Puppet. It's how s3_enabled got added after all.

@mbrossard Both of those URLs should work fine with the code from #30. We would just need to add something to parse the region out of the URL in the case that the instance didn't reside in the same region. The region supplied in a URL should disable auto detection.

from yum-s3-iam.

@asedge - it looks like they were iffy on adding the 's3_enabled' flag as is, and don't want to add to many one-off flags to the resources. Also, given that we can interpret the needed information from the url, that seems like the cleaner solution.

from yum-s3-iam.

@asedge, I tried testing out your changes this morning, and they don't work with both including and not including the region. I think something is broken with the header creation.
The values reported from the ec2 metadata service call are different than the values returned in the error message (the facter fact pulls down the values from the metadata - access/secret slightly munged for security)

[ec2-user@ip-x-x-x-x yum-s3-iam]$ yum search epel
Loaded plugins: priorities, s3iam, update-motd, upgrade-helper
Traceback (most recent call last):
File "/usr/bin/yum", line 29, in
yummain.user_main(sys.argv[1:], exit_code=True)
File "/usr/share/yum-cli/yummain.py", line 367, in user_main
errcode = main(args)
File "/usr/share/yum-cli/yummain.py", line 174, in main
result, resultmsgs = base.doCommands()
File "/usr/share/yum-cli/cli.py", line 572, in doCommands
return self.yum_cli_commands[self.basecmd].doCommand(self, self.basecmd, self.extcmds)
File "/usr/share/yum-cli/yumcommands.py", line 1728, in doCommand
return base.search(extcmds)
File "/usr/share/yum-cli/cli.py", line 1441, in search
for (po, keys, matched_value) in matching:
File "/usr/lib/python2.7/dist-packages/yum/init.py", line 3176, in searchGenerator
for sack in self.pkgSack.sacks.values():
File "/usr/lib/python2.7/dist-packages/yum/init.py", line 1077, in
pkgSack = property(fget=lambda self: self._getSacks(),
File "/usr/lib/python2.7/dist-packages/yum/init.py", line 782, in _getSacks
self.repos.populateSack(which=repos)
File "/usr/lib/python2.7/dist-packages/yum/repos.py", line 383, in populateSack
sack.populate(repo, mdtype, callback, cacheonly)
File "/usr/lib/python2.7/dist-packages/yum/yumRepo.py", line 250, in populate
if self._check_db_version(repo, mydbtype):
File "/usr/lib/python2.7/dist-packages/yum/yumRepo.py", line 342, in _check_db_version
return repo._check_db_version(mdtype)
File "/usr/lib/python2.7/dist-packages/yum/yumRepo.py", line 1520, in _check_db_version
repoXML = self.repoXML
File "/usr/lib/python2.7/dist-packages/yum/yumRepo.py", line 1706, in
repoXML = property(fget=lambda self: self._getRepoXML(),
File "/usr/lib/python2.7/dist-packages/yum/yumRepo.py", line 1702, in _getRepoXML
self._loadRepoXML(text=self.ui_id)
File "/usr/lib/python2.7/dist-packages/yum/yumRepo.py", line 1693, in _loadRepoXML
return self._groupLoadRepoXML(text, self._mdpolicy2mdtypes())
File "/usr/lib/python2.7/dist-packages/yum/yumRepo.py", line 1667, in _groupLoadRepoXML
if self._commonLoadRepoXML(text):
File "/usr/lib/python2.7/dist-packages/yum/yumRepo.py", line 1492, in _commonLoadRepoXML
result = self._getFileRepoXML(local, text)
File "/usr/lib/python2.7/dist-packages/yum/yumRepo.py", line 1270, in _getFileRepoXML
size=102400) # setting max size as 100K
File "/usr/lib/python2.7/dist-packages/yum/yumRepo.py", line 1058, in _getFile
*_kwargs
File "/usr/lib/yum-plugins/s3iam.py", line 223, in urlgrab
response = urllib2.urlopen(request)
File "/usr/lib64/python2.7/urllib2.py", line 154, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib64/python2.7/urllib2.py", line 431, in open
response = self._open(req, data)
File "/usr/lib64/python2.7/urllib2.py", line 449, in _open
'_open', req)
File "/usr/lib64/python2.7/urllib2.py", line 409, in _call_chain
result = func(_args)
File "/usr/lib64/python2.7/urllib2.py", line 1242, in https_open
context=self._context)
File "/usr/lib64/python2.7/urllib2.py", line 1196, in do_open
h.request(req.get_method(), req.get_selector(), req.data, headers)
File "/usr/lib64/python2.7/httplib.py", line 1053, in request
self._send_request(method, url, body, headers)
File "/usr/lib64/python2.7/httplib.py", line 1092, in _send_request
self.putheader(hdr, value)
File "/usr/lib64/python2.7/httplib.py", line 1031, in putheader
raise ValueError('Invalid header value %r' % (one_value,))
ValueError: Invalid header value 'AWS >ASIAI2IZxxxxxxxxA57Q:TBNEVxxxxxxxxMzIs/YPzxxxxKw=\n'
[ec2-user@ip-x-x-x-x yum-s3-iam]$ facter ec2_iam_security_credentials_s3access_4
"AccessKeyId" : "ASIAI2IZxxxxxxxxA57Q",
[ec2-user@ip-x-x-x-x yum-s3-iam]$ facter ec2_iam_security_credentials_s3access_5
"SecretAccessKey" : "jGiDCTxxxxxxxxVtCjebzSaZxYnJYGA/+lxxxxvo",

from yum-s3-iam.

@Cinderhaze I didn't change any of the code regarding credentials. See the diff: 026439d.

I just tried this on both CentOS 6 (python2.6) and CentOS 7 (python2.7) and it works fine for me. The code I added just means you don't need to specify the region= in your yumconf if the s3 bucket resides in the same region as your instance. What does your repo conf look like?

from yum-s3-iam.

Hrm, you're right... Though I am still seeing the error (I even hopped back to the previous commit to verify).

[ec2-user@ip-x-x-x-x yum-s3-iam]$ cat /etc/yum.repos.d/s3-iam.repo
[s3-iam]
name=S3 iam - Testing - $basearch - Source
baseurl=https://dawiest-repo.s3-eu-central-1.amazonaws.com/noarch
region=eu-central-1
enabled=1
gpgcheck=0
s3_enabled=true

Was there a different configuration that you wanted to see? I used the above with the previous checkout, and removed the region line for testing your checkout, both show the same error above, though it was working for me yesterday. Curious.

from yum-s3-iam.

Looking into the error.. "ValueError: Invalid header value ....\n"... leads me to this thread (scrapinghub/splash#241) which points to http://bugs.python.org/issue22928 .. " It is not safe to use header values with new lines (besides some specific cases), so Python stdlib disallows it now"

Not sure if that applies, but from my ec2..
python --version
Python 2.7.10

I've only dabbled with python.. if there is any additional info that I can get, let me know.

from yum-s3-iam.

I've been under the weather for almost two weeks, which has cut down my time to work on this.

I want to support v4 signatures but I also don't want to break existing configuration, which means we'll probably need to keep v2 signatures around.

My strategy (currently) would be:

• Add support for s3://s3-{region}.amazonaws.com/{bucket}/{path} (and s3://{bucket}.s3-{region}.amazonaws.com/{path}) based on #30, which would use v4 signature.
• For old-style URLs (with s3_enabled), if URL contains the region, we could use v4 signature.
• Fallback to v2 signature. Eventually, if v2 is discontinued we could add a GET Bucket location in the fallback case.

What do you think?

from yum-s3-iam.

I think the v4_scheme branch is almost ready to be merged. I'll wait a few days to give you some time to test if you can.

from yum-s3-iam.

Fixed in 1.1.0

from yum-s3-iam.