S3 GetObject ChecksumMode always ENABLED

[iheffernan]

Checkboxes for prior research

• I've gone through Developer Guide and API reference
• I've checked AWS Forums and StackOverflow.
• I've searched for previous similar issues and didn't find any solution.

Describe the bug

Somewhere between versions 3.552.0 and 3.779.0 the ChecksumMode setting on S3 GetObjectCommand started to be ignored. There are 2 major problems this is causing for me:

1. As referenced in Issue Enabling ChecksumMode when calling getObject increases the response time #6497, this can result in significantly longer response times on GetObject calls
2. This can break PresignedGet URLs if signed without ChecksumMode enabled and the request headers don't include x-amz-checksum-mode

Regression Issue

• Select this option if this issue appears to be a regression.

SDK version number

@aws-sdk/client-s3@3.779.0

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

v22.14.0

Reproduction Steps

const s3Client = new S3Client();
const bucket = 'my-bucket';
const key = 'test-key.txt';

const put = new PutObjectCommand({
    Bucket: bucket,
    Key: key,
    Body: 'My test object body',
    ContentType: 'text/plain',
    ChecksumAlgorithm: 'SHA256'
});
await s3Client.send(put);

// get request with ChecksumMode undefined
const get = new GetObjectCommand({
    Bucket: bucket,
    Key: key
});

const result = await s3Client.send(get);
console.log(result.ChecksumSHA256); // this _should_ be undefined because ChecksumMode was not Enabled on the Get command

const presignedUrl = await getSignedUrl(s3Client, get, { unhoistableHeaders: new Set(['x-amz-checksum-mode']) });
// this returns a 403 because the GET result has a checksum, but we have no headers
const forbidden = await fetch(presignedUrl, { method: "GET" });
console.log(forbidden.status);
// this works, because I added the header, which wasn't necessary before
const success = await fetch(presignedUrl, { method: "GET", headers: {'x-amz-checksum-mode': 'ENABLED'} });
console.log(success.status);

Observed Behavior

In early versions (<= 3.552.0) , the above code would set the SHA256 checksum on the PUT, but without ChecksumMode explicitly ENABLED on the GET, the checksum would not be returned.

As of 3.779.0, the GET result always includes the ChecksumSHA256, whether ChecksumMode is Enabled or undefined.

As I mentioned in the issue description, this causes breaking behavior for presigned GET URLs and potential performance issues for standard S3 Get requests.

Expected Behavior

If I don't explicitly enable ChecksumMode, I shouldn't get a Checksum* back, regardless of whether it was included when the object was written. Particularly in the case of presigned Get URLs, which is breaking behavior.

Possible Solution

Don't include any checksums unless ChecksumMode = ENABLED

Additional Information/Context

No response

[aBurmeseDev]

Hi @iheffernan - thanks for reaching out.

Your findings are accurate and it's because starting v3.729.0, we released changes to the S3 client that adopts new default integrity protections, see announcement.

Although disabling this new default integrity protections by S3 is not recommended, it can be done by setting value WHEN_REQUIRED for:

• put calls:
  client config: requestChecksumCalculation
  shared ini: request_checksum_calculation
  environment variable: AWS_REQUEST_CHECKSUM_CALCULATION
• get calls:
  client config: responseChecksumValidation
  shared ini: response_checksum_validation
  environment variable: AWS_RESPONSE_CHECKSUM_VALIDATION

Hope that helps and let me know if you have any other questions!

[github-actions]

This issue has not received a response in 1 week. If you still think there is a problem, please leave a comment to avoid the issue from automatically closing.

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.