http_request head on S3 pre-signed URL gets 403 error


#1

Ohai!

I’ve been reading
http://docs.opscode.com/chef/resources.html#remote-file, and
implemented something like this:

local = "some_local_file"
remote = “pre-signed_S3_url”

remote_file local do
source remote
action :nothing
end

http_request “HEAD #{remote}” do
message ""
url remote
action :head
if File.exists?(local)
headers “If-Modified-Since” => File.mtime(local).httpdate
end
notifies :create, “remote_file[local]”, :immediately
end

I get this response from chef-client:

FATAL: Net::HTTPServerException:
http_request[HEAD
https://mybucket.s3.amazonaws.com/develop/some.war?AWSAccessKeyId=AKIXXXXXXXXXXX&Expires=1543242415&Signature=8234962346239423949ygf89w]
(some::backend line 140) had an error: Net::HTTPServerException: 403
"Forbidden"

I supposed this an Chef issue, because all it’s fine when I run:

wget -S https://mybucket.s3.amazonaws.com/develop/some.war?AWSAccessKeyId=AKIXXXXXXXXXXX&Expires=1543242415&Signature=8234962346239423949ygf89w

Chef’s versions on servers are 10.26.0 (soon, migration to chef11)

Thanks!


#2

On Wednesday, June 19, 2013 at 11:49 AM, Jorge Bianquetti wrote:

Ohai!

I’ve been reading
http://docs.opscode.com/chef/resources.html#remote-file, and
implemented something like this:

local = "some_local_file"
remote = “pre-signed_S3_url”

remote_file local do
source remote
action :nothing
end

http_request “HEAD #{remote}” do
message ""
url remote
action :head
if File.exists?(local)
headers “If-Modified-Since” => File.mtime(local).httpdate
end
notifies :create, “remote_file[local]”, :immediately
end

I get this response from chef-client:

FATAL: Net::HTTPServerException:
http_request[HEAD
https://mybucket.s3.amazonaws.com/develop/some.war?AWSAccessKeyId=AKIXXXXXXXXXXX&Expires=1543242415&Signature=8234962346239423949ygf89w]
(some::backend line 140) had an error: Net::HTTPServerException: 403
"Forbidden"

I supposed this an Chef issue, because all it’s fine when I run:

wget -S https://mybucket.s3.amazonaws.com/develop/some.war?AWSAccessKeyId=AKIXXXXXXXXXXX&Expires=1543242415&Signature=8234962346239423949ygf89w

Chef’s versions on servers are 10.26.0 (soon, migration to chef11)

Thanks!
Not sure what your current issue is, but Chef 11.6 will be adding automatic conditional GET for remote_file resources. I hope you can give the beta a spin when released (hopefully soon, we’ll announce it here).


Daniel DeLeo


#3

The only thing I can think of is that http_request uses Chef::REST
internally and so Accept is only application/json. If your S3 bucket is
rejecting requests like that, it could be the problem.

http://tickets.opscode.com/browse/CHEF-4202

I have used http_request to HEAD objects from more lenient servers though,
so it does work.

  • Julian

On Wed, Jun 19, 2013 at 1:49 PM, Jorge Bianquetti jbianquetti@gmail.comwrote:

Ohai!

I’ve been reading
http://docs.opscode.com/chef/resources.html#remote-file, and
implemented something like this:

local = "some_local_file"
remote = “pre-signed_S3_url”

remote_file local do
source remote
action :nothing
end

http_request “HEAD #{remote}” do
message ""
url remote
action :head
if File.exists?(local)
headers “If-Modified-Since” => File.mtime(local).httpdate
end
notifies :create, “remote_file[local]”, :immediately
end

I get this response from chef-client:

FATAL: Net::HTTPServerException:
http_request[HEAD

https://mybucket.s3.amazonaws.com/develop/some.war?AWSAccessKeyId=AKIXXXXXXXXXXX&Expires=1543242415&Signature=8234962346239423949ygf89w
]
(some::backend line 140) had an error: Net::HTTPServerException: 403
"Forbidden"

I supposed this an Chef issue, because all it’s fine when I run:

wget -S
https://mybucket.s3.amazonaws.com/develop/some.war?AWSAccessKeyId=AKIXXXXXXXXXXX&Expires=1543242415&Signature=8234962346239423949ygf89w

Chef’s versions on servers are 10.26.0 (soon, migration to chef11)

Thanks!


[ Julian C. Dunn jdunn@aquezada.com * Sorry, I’m ]
[ WWW: http://www.aquezada.com/staff/julian * only Web 1.0 ]
[ gopher://sdf.org/1/users/keymaker/ * compliant! ]
[ PGP: 91B3 7A9D 683C 7C16 715F 442C 6065 D533 FDC2 05B9 ]