You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using signature_version=UNSIGNED (requests with no Authorization header), boto3 v1.36.0+ sends checksums that trigger aws-chunked transfer encoding. This appears inconsistent with AWS documentation and causes failures with S3-compatible services.
Terminology clarification: We're discussing truly unauthenticated requests (no Authorization header), not authenticated requests using X-Amz-Content-SHA256: UNSIGNED-PAYLOAD or STREAMING-UNSIGNED-PAYLOAD-TRAILER.
The disconnect: AWS documentation states chunked uploads require "authenticating requests using the Authorization header" (docs), and checksum headers are part of Signature V4 signing (docs). Yet boto3 sends these for requests with no Authorization header.
Questions
Is this intentional? Does AWS S3 accept unauthenticated requests with checksums and chunked encoding? We haven't tested against AWS S3, only S3-compatible services which reject them.
client=boto3.client(
's3',
config=Config(
signature_version=UNSIGNED,
s3={'request_checksum_calculation': 'when_required'}
)
)
# Still sends checksums and uses chunked encoding
Should boto3 align with the documentation? If AWS docs say these features require authentication, should signature_version=UNSIGNED disable them automatically?
Workaround
Event handler to remove checksums from unauthenticated requests:
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
Summary
When using
signature_version=UNSIGNED(requests with no Authorization header), boto3 v1.36.0+ sends checksums that trigger aws-chunked transfer encoding. This appears inconsistent with AWS documentation and causes failures with S3-compatible services.Terminology clarification: We're discussing truly unauthenticated requests (no Authorization header), not authenticated requests using
X-Amz-Content-SHA256: UNSIGNED-PAYLOADorSTREAMING-UNSIGNED-PAYLOAD-TRAILER.Current Behavior
Sends:
Transfer-Encoding: chunkedContent-Encoding: aws-chunkedX-Amz-Decoded-Content-Length: 3x-amz-checksum-crc32: <value>X-Amz-Content-SHA256: STREAMING-UNSIGNED-PAYLOAD-TRAILERResult: S3-compatible servers return
HTTP 411 MissingContentLength.The disconnect: AWS documentation states chunked uploads require "authenticating requests using the Authorization header" (docs), and checksum headers are part of Signature V4 signing (docs). Yet boto3 sends these for requests with no Authorization header.
Questions
Is this intentional? Does AWS S3 accept unauthenticated requests with checksums and chunked encoding? We haven't tested against AWS S3, only S3-compatible services which reject them.
Why doesn't
request_checksum_calculation: 'when_required'work?Should boto3 align with the documentation? If AWS docs say these features require authentication, should
signature_version=UNSIGNEDdisable them automatically?Workaround
Event handler to remove checksums from unauthenticated requests:
Impact
Related
Environment
Beta Was this translation helpful? Give feedback.
All reactions