Announcement: S3 default integrity change #1240
Comments
|
Seems changing the default breaks AWS S3 Presigned PUTs if you don't explicitly set a checksum? I can see a checksum is added to the headers and when the client attempts an upload it gets: The issue was resolved by setting the config to |
|
Hi @danprueitt, thank you for bringing that to our attention. Sounds like it's a regular S3 presigned PUT requests that are affected? Can you provide us with a reproducer so we can work backwards from it? |
|
@danprueitt I was able to replicate your issue and working on a fix now, thanks for bringing this to our attention. |
|
It looks like this change added the See also: awesomized/crc64fast-nvme#5 |
## Motivation and Context <!--- Why is this change required? What problem does it solve? --> <!--- If it fixes an open issue, please link to the issue here --> Fixing bug reported in awslabs/aws-sdk-rust#1240 (comment) ## Description <!--- Describe your changes in detail --> ## Testing <!--- Please describe in detail how you tested your changes --> <!--- Include details of your testing environment, and the tests you ran to --> <!--- see how your change affects other areas of the code, etc. --> Updated presigning integ tests to account for behavior specified in SEP, added new test for the user provided checksum case ## Checklist <!--- If a checkbox below is not applicable, then please DELETE it rather than leaving it unchecked --> - [x] For changes to the AWS SDK, generated SDK code, or SDK runtime crates, I have created a changelog entry Markdown file in the `.changelog` directory, specifying "aws-sdk-rust" in the `applies_to` key. ---- _By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice._
|
Fix was merged in smithy-lang/smithy-rs#3971, we are working to release the codegen now and the actual fix should be released in version |
|
@aaronmondal I've created a PR to the |
|
Thank you for the announcement. I have one question: why does the SDK use CRC32 instead of CRC64NVME? Checking object integrity in Amazon S3 recommends CRC64NVME and boto3 also uses CRC64NVME as the default. |
Primarily because we could not enable CRC64NVME on all targets by default due to |
Thank you for your explanation. I've understood it well. |
|
There have been asks of various SDKs for examples of how to revert to something like the previous behavior, especially for S3 APIs like
[package]
name = "md5-override"
version = "0.1.0"
edition = "2021"
[dependencies]
aws-config = "1.5.15"
aws-sdk-s3 = "1.72.0"
aws-smithy-types = "1.2.13"
md5 = "0.7.0"
tokio = { version = "1.43.0", features = ["macros", "rt-multi-thread"] }
use aws_config::BehaviorVersion;
use aws_config::Region;
use aws_sdk_s3::config::http::HttpRequest;
use aws_sdk_s3::types::{Delete, ObjectIdentifier};
use aws_sdk_s3::Client;
use aws_smithy_types::base64;
#[tokio::main]
async fn main() {
let region = Region::from_static("us-west-2");
let config = aws_config::defaults(BehaviorVersion::latest())
.region(region)
.load()
.await;
let s3_client = Client::new(&config);
let delete_objs_res = s3_client
.delete_objects()
.bucket("NOT_A_REAL_BUCKET")
.delete(
Delete::builder()
.objects(
ObjectIdentifier::builder()
.key("NOT_A_REAL_KEY")
.build()
.unwrap(),
)
.build()
.unwrap(),
)
.customize()
.mutate_request(calculate_md5_checksum_and_remove_other_checksums)
// Check that the headers were correctly mutated
.mutate_request(|req| {
println!("HEADERS: {:#?}", req.headers());
})
.send()
.await;
println!("RESULT: {delete_objs_res:#?}")
}
/// This function mutates the request to insert a Content-MD5 header and remove
/// any existing flexible checksum headers
fn calculate_md5_checksum_and_remove_other_checksums(http_request: &mut HttpRequest) {
// Remove the flexibile checksum headers
let remove_headers = http_request.headers().clone();
let remove_headers: Vec<(&str, &str)> = remove_headers
.iter()
.filter(|(name, _)| {
name.starts_with("x-amz-checksum") || name.starts_with("x-amz-sdk-checksum")
})
.collect();
for (name, _) in remove_headers {
http_request.headers_mut().remove(name);
}
// Check if the body is present if it isn't (streaming request) we skip adding the header
if let Some(bytes) = http_request.body().bytes() {
let md5 = md5::compute(bytes);
let checksum_value = base64::encode(md5.as_slice());
http_request
.headers_mut()
.append("Content-MD5", checksum_value);
}
} |
|
Hi @landonxjames is there plans to provide a better user experience for these |
There are no plans for that. The SDK's backwards compatibility guarantees only apply to AWS services and the APIs as they currently are work with S3. Happy to help customers figure out workarounds for their individual situations, but unlikely to make any features in the SDK specifically targeting deprecated behavior. |
Fixes build issues encountered internally and in awslabs/aws-sdk-rust#1240 (comment)
Fixes build issues encountered internally and in awslabs/aws-sdk-rust#1240 (comment) ## Motivation and Context <!--- Why is this change required? What problem does it solve? --> <!--- If it fixes an open issue, please link to the issue here --> ## Description <!--- Describe your changes in detail --> ## Testing <!--- Please describe in detail how you tested your changes --> <!--- Include details of your testing environment, and the tests you ran to --> <!--- see how your change affects other areas of the code, etc. --> ## Checklist ---- _By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice._
In AWS SDK for Rust v1.69.0, we released changes to the S3 client that adopts new default integrity protections. For more information on default integrity behavior, please refer to the official SDK documentation. In SDK releases from this version on, clients default to enabling an additional checksum on all Put calls and enabling validation on Get calls.
You can disable default integrity protections for S3. We do not recommend this because checksums are important to S3 integrity posture. Integrity protections can be disabled by setting the config flag to
WHEN_REQUIRED, or by using the related AWS shared config file settings or environment variables.Disclaimer: the AWS SDKs and CLI are designed for usage with official AWS services. We may introduce and enable new features by default, such as these new default integrity protections, prior to them being supported or otherwise handled by third-party service implementations. You can disable the new behavior with the
WHEN_REQUIREDvalue for therequest_checksum_calculationandresponse_checksum_validationconfiguration options covered in Data Integrity Protections for Amazon S3.The text was updated successfully, but these errors were encountered: