Skip to content

Fix GCS presigned URL signature for multipart part uploads#218

Merged
matthiasL-scality merged 2 commits into
mainfrom
fix/gcs-presign-colon-encoding
Jul 17, 2026
Merged

Fix GCS presigned URL signature for multipart part uploads#218
matthiasL-scality merged 2 commits into
mainfrom
fix/gcs-presign-colon-encoding

Conversation

@matthiasL-scality

Copy link
Copy Markdown
Contributor

Summary

  • GCS has two deviations from standard AWS S3 V2 signing for presigned URLs that caused SignatureDoesNotMatch (403) on every part upload:
    1. : in the object key is normalised to %3A in the canonical resource
    2. ?partNumber=N&uploadId=X is not included in the canonical resource for presigned part PUTs (unlike the AWS S3 V2 spec)
  • Both fixes applied to PRESIGN_PART; the : fix also applied to PRESIGN_PUT for consistency
  • Fix validated directly against GCS by generating presigned part URLs and PUTting real 5 MB parts before opening this PR

Root cause

The existing CI runs against zenko/cloudserver which does not normalise : or exclude subresources, so the bug was not caught there. Two new tests verify the presigned URL path encodes : as %3A, catching this class of bug in future CI runs.

Test plan

  • CI passes (test.yml — cloudserver)
  • Re-run test-upload workflow in scality/action-artifacts against production after merging and deploying

@matthiasL-scality
matthiasL-scality requested a review from a team as a code owner July 17, 2026 09:59
GCS has two deviations from standard AWS S3 V2 signing for presigned URLs:
1. ':' in the object key is normalised to '%3A' in the canonical resource
2. ?partNumber=N&uploadId=X is NOT included in the canonical resource
   for presigned part PUTs (unlike the AWS S3 V2 spec)

Both mismatches caused SignatureDoesNotMatch (403) on every part upload,
making all multipart uploads fail. Validated directly against GCS before
this fix by generating presigned part URLs and PUTting 5 MB parts.

Also applies the ':' fix to PRESIGN_PUT for consistency.

Add two e2e tests that check the presigned URL path contains '%3A'
instead of raw ':', catching this class of bug in CI against cloudserver.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@matthiasL-scality
matthiasL-scality force-pushed the fix/gcs-presign-colon-encoding branch from 56ea6e3 to 57b1d01 Compare July 17, 2026 10:02
@claude

claude Bot commented Jul 17, 2026

Copy link
Copy Markdown

LGTM

Review by Claude Code

GCS does not include ?partNumber=N&uploadId=X in the canonical resource
when verifying presigned part PUT signatures (unlike standard AWS S3 V2).
cloudserver and other AWS-compatible backends do include them.

Detect GCS from ENDPOINT_URL and omit subresources only for GCS,
keeping the standard behaviour for all other backends.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@claude

claude Bot commented Jul 17, 2026

Copy link
Copy Markdown

LGTM

Review by Claude Code

@matthiasL-scality
matthiasL-scality merged commit 70be18d into main Jul 17, 2026
5 checks passed
@matthiasL-scality
matthiasL-scality deleted the fix/gcs-presign-colon-encoding branch July 17, 2026 11:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant