General: The AWS V4 Signature implementation in AwsCredentials does not properly handle x-amz-content-sha256 header #1792
Description
Environment details
- OS type and version: macOS 15.6
- Java version: Corretto-21.0.7.6.1
- version(s): Latest commit on default branch: 1669dc8
Steps to reproduce
- Call AwsCredentials.retrieveSubjectToken() and inspect headers present in the resulting token.
- Note that the x-amz-content-sha256 header is missing
- Note that the official AWS Signature Version 4 docs has the following to say about the
x-amz-content-sha256header:
The x-amz-content-sha256 header is required for all AWS Signature Version 4 requests. It provides a hash of the request payload. However, you are not required to include the x-amz-content-sha256 as a canonical header because S3 will automatically use its value when calculating the payload hash sent in the request.
If there is no payload, you must provide the hash of an empty string.
If you do not want S3 to check against the hash of the request, you can use the literal string "UNSIGNED-PAYLOAD" instead.
Code example
diff --git a/oauth2_http/javatests/com/google/auth/oauth2/AwsCredentialsTest.java b/oauth2_http/javatests/com/google/auth/oauth2/AwsCredentialsTest.java
index 7ba1d7d..cfeb038 100644
--- a/oauth2_http/javatests/com/google/auth/oauth2/AwsCredentialsTest.java
+++ b/oauth2_http/javatests/com/google/auth/oauth2/AwsCredentialsTest.java
@@ -304,6 +304,7 @@ public class AwsCredentialsTest extends BaseSerializationTest {
assertEquals("token", headers.get("x-amz-security-token"));
assertEquals(awsCredential.getAudience(), headers.get("x-goog-cloud-target-resource"));
assertTrue(headers.containsKey("x-amz-date"));
+ assertTrue(headers.containsKey("x-amz-content-sha256"));
assertNotNull(headers.get("Authorization"));
List<MockLowLevelHttpRequest> requests = transportFactory.transport.getRequests();
External references such as API reference guides
https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html
Any additional information below
I am aware that Amazon is pretty slow moving when it comes to starting to fail requests with malformed signatures, but it is worth noting that the Aws4Signer that was missing the x-amz-content-sha256 header is now deprecated, and it's replacement the AwsV4HttpSigner has no ability to generate signatures without the mentioned header. My understanding of your federated identity implementation is that for the mechanism to work, Amazon STS needs to accept your signature.
A first step towards addressing this might be to update the GCP STS service to accept the subjectToken parameters containing x-amz-content-sha256. Currently it fails with a 400 error and the confusing message {"error":"invalid_grant","error_description":"The given AWS request doesn't contain all the required headers."}.