Yaak Logo
Yaak
Feedback/AWS v4 Signature with Ceph broken

AWS v4 Signature with Ceph broken

Ro Zp·2 days ago
Needs TriageBug

Hey!

I can not get Yaak AWS Signature generating working with Ceph’s S3 endpoint.

You can reproduce the issue by using this Ceph single-container testing Image from Hetzner: https://github.com/hetznercloud/ceph-s3-box

This curl command is working just fine (credentials are from local env, don’t have to be redacted)

curl -v -X POST "http://localhost:25251/" \
          --aws-sigv4 "aws:amz:default:iam" \
          --user "KJB91F2CPBJWO8RC79UA:WdYZ1VLfZt8SsE9i3HPlLu2oxvSMJjOsBPZvrJQK" \
          -H "Content-Type: application/x-www-form-urlencoded" \
          -d "Action=ListAttachedUserPolicies" \
          -d "UserName=s3user-123456" \
          -d "Version=2010-05-08"

< HTTP/1.1 200 OK
< x-amz-request-id: tx000002526f9eaaf27e6b0-006a1848f4-4141-default
< Content-Type: application/xml
< Server: Ceph Object Gateway (squid)

Mirroring the same in Yaak produces

<?xml version="1.0" encoding="UTF-8"?>
<ErrorResponse
  xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
  <Error>
    <Code>SignatureDoesNotMatch</Code>
    <Message></Message>
    <RequestId>tx00000181bd4a4b5dc4113-006a184a46-4141-default</RequestId>
    <HostId>4141-default-default</HostId>
  </Error>
</ErrorResponse>

With the following request:

image
image

Timeline:

> POST /
> accept: */*
> content-type: application/x-www-form-urlencoded
> host: localhost:25251
> x-amz-date: 20260528T141012Z
> authorization: AWS4-HMAC-SHA256 Credential=KJB91F2CPBJWO8RC79UA/20260528/default/iam/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=e259a64a7341269ffb94cdb09fec7da209d753b3b5cc54fd9a52a3bfedefb3e3
* Sending request to server
* DNS resolved localhost to ::1, 127.0.0.1 (0ms)
< HTTP/1.1 403 Forbidden
< content-length: 294
< x-amz-request-id: tx000009b493a18dbe8010d-006a184cc4-4141-default
< accept-ranges: bytes
< content-type: application/xml
< server: Ceph Object Gateway (squid)
< date: Thu, 28 May 2026 14:10:12 GMT
< connection: Keep-Alive

Thanks for you work on Yaak, everything else works like a charm!

Edit: Another possible enhancement would be including curl’s AWS signing when right clicking the request and selection “Copy as CURL”. This currently produces:

curl -X POST 'http://localhost:25251' \
  --header 'User-Agent: yaak' \
  --header 'Accept: */*' \
  --header 'Content-Type: application/x-www-form-urlencoded' \
  --data 'Action=ListAttachedUserPolicies' \
  --data 'UserName=s3user-123456' \
  --data 'Version=2010-05-08'
macOS2026.4.0

Comments (0)

Sign in to leave a comment.

Type to search feedback...