Signature ignored?

[sprat]

I am trying to use MinIO warp to benchmark the Google Cloud Storage which only supports V4 signatures.

I've found the hidden --signature option of the CLI by looking at the code: by default, V4 signatures should be used. But it seems that the Warp client totally ignores the signature option (and also the default value) and always use a V2 signature in my scenario.

Here is command I run:

/warp get --host storage.googleapis.com --region europe-north1 --access-key *REDACTED* --secret-key *REDACTED* --tls --bucket mybench-obench --analyze.v --warp-client 127.0.0.1 --debug --signature S3V4

And here is the debug log in the MinIO client's output:

warp: Accepting connection from server: bpAMkd0NvgpherO110tV
warp: Request: benchmark
warp: Executing get benchmark.
warp: Params: map[access-key:XXXXXXXXXXX analyze.v:true bucket:mybench-obench debug:true host:storage.googleapis.com region:europe-north1 secret-key:YYYYYYYYYYYYYYY signature:S3V2 tls:true] []
warp: Sending benchmark_started
warp: Request: start_stage
warp: Starting stage prepare in 999.739683ms
warp: Sending benchmark_status
warp: Request: stage_status
warp: Sending benchmark_status
warp: Request: stage_status
warp: Sending benchmark_status
---------START-HTTP---------
HEAD / HTTP/1.1
Host: mybench-obench.storage.googleapis.com
User-Agent: MinIO (linux; amd64) minio-go/v7.0.57 warp/0.7.5
Authorization: AWS **REDACTED**:**REDACTED**
Date: Mon, 07 Aug 2023 13:53:18 GMT

HTTP/1.1 403 Forbidden
Content-Length: 346
Cache-Control: private, max-age=0
Content-Type: application/xml; charset=UTF-8
Date: Mon, 07 Aug 2023 13:53:19 GMT
Expires: Mon, 07 Aug 2023 13:53:19 GMT
Server: UploadServer
X-Guploader-Uploadid: ADPycdtemWJflKD_3tqYxC7FcWxKMCXkpbCDkRtzSrzikWJlAAe4LsnEQWt5_cKzXRhHtD68sLNIu_O25EqS4f_W7huUtziXwC53
---------END-HTTP---------
warp: <ERROR> Access Denied.
warp: prepare done...
warp: Request: stage_status
warp: Sending benchmark_status
warp: Request: disconnect
warp: Received Disconnect
warp: Closing connection

We can see that the signature type is properly passed to the client, but the Authorization header show that a V2 signature is used anyway.

I would have proposed a patch to fix this problem but I have not being able to figure out where the problem is: the code which uses the signature option seems ok to me

[klauspost]

@sprat Before continuing, I edited out your secret + access key from the dump above. Please ensure that you weren't using these credentials, and if you were, change them at once.

There is a google specific override in minio-go. To be honest I don't know the background of this and whether they have now implemented V4.

[sprat]

Oh right, I missed the credentials in the logs! It's not that serious because it's a test account but I've rotated the secret.

Nice catch, the problem may be due to the line you quoted. But it seems that Google now implemented the V4 signature and does not support V2 anymore. I'll double-check. Do you suggest I file a bug in the minio-go repository?

[klauspost]

It seems like there is an issue for it: minio/minio-go#1800

A PR would be very welcome, especially if you are able to test it out.

[sprat]

Ok, I'll try to do that.

[klauspost]

Closing this.