fix(aws_s3 sink): restrict checksum calculation to fix R2 InvalidRequest#25803
fix(aws_s3 sink): restrict checksum calculation to fix R2 InvalidRequest#25803Socialpranker wants to merge 1 commit into
Conversation
The AWS SDK for Rust defaults to always adding an x-amz-checksum-* request checksum and validating response checksums (aws-sdk-rust#1240). Vector's S3 sink already sends its own explicit Content-MD5 header on every PutObject request, so this SDK-added checksum is redundant against AWS S3, and Cloudflare R2 rejects the combination outright with: InvalidRequest: You can only specify one non-default checksum at a time. Set request_checksum_calculation and response_checksum_validation to WhenRequired in S3ClientBuilder (shared by the aws_s3 sink and source), matching AWS's own guidance for S3-compatible endpoints. Verified with a unit test asserting the built client's config carries WhenRequired for both settings, plus cargo check/clippy/fmt and the existing aws_s3 sink/source unit test suite. Not verified against a live R2 endpoint since no R2 credentials were available; the fix follows the exact mechanism AWS documented for this incompatibility class. Generated with Claude Opus 4.8. Fixes vectordotdev#23029 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Thank you for your contribution! Before we can merge this PR, please sign our Contributor License Agreement. To sign, copy and post the phrase below as a new comment on this PR.
I have read the CLA Document and I hereby sign the CLA You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8f20194306
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| // See https://github.com/vectordotdev/vector/issues/23029 and | ||
| // https://github.com/awslabs/aws-sdk-rust/issues/1240. | ||
| .request_checksum_calculation(RequestChecksumCalculation::WhenRequired) | ||
| .response_checksum_validation(ResponseChecksumValidation::WhenRequired); |
There was a problem hiding this comment.
Keep S3 response validation enabled for AWS downloads
When the aws_s3 source reads from real AWS S3, its get_object() call does not set checksum_mode(Enabled) (src/sources/aws_s3/sqs.rs:677-680). Setting ResponseChecksumValidation::WhenRequired here tells the SDK to validate only when the caller explicitly enables checksums, so source downloads lose the SDK's default response checksum validation and can accept a corrupted object body that would previously fail while being read. The R2 failure is caused by the extra request checksum on PutObject, so response validation should be left at the default or disabled only for the compatible-endpoint case.
Useful? React with 👍 / 👎.
The S3 sink always attaches its own
Content-MD5header to everyPutObjectrequest. The AWS SDK for Rust separately defaults to calculating and attaching anx-amz-checksum-*request checksum on every request too, a behavior change described in awslabs/aws-sdk-rust#1240. Standard AWS S3 tolerates both headers at once, but Cloudflare R2 rejects the combination withInvalidRequest: You can only specify one non-default checksum at a time, which matches the debug output in this issue exactly (content-md5,x-amz-checksum-crc32, andx-amz-sdk-checksum-algorithmall present on the same request).This sets
request_checksum_calculationandresponse_checksum_validationtoWhenRequiredon theS3ClientBuilderused by both theaws_s3sink and source, so the SDK stops adding its own checksum on top of Vector's existingContent-MD5. This is the exact setting AWS recommends for compatibility with S3-compatible providers, so AWS S3 behavior is unaffected while R2 (and similar services) should stop seeing the conflicting headers.I verified this with a unit test that builds a client through
S3ClientBuilderand asserts the resulting config carriesWhenRequiredfor both settings, pluscargo check,cargo clippy, andcargo fmton the touched crate, and the existingaws_s3sink/source unit test suite (all passing). I don't have a Cloudflare R2 account, so I could not run this against a live R2 endpoint. Given the fix only removes headers the SDK adds unconditionally, and standard AWS S3 already supportsWhenRequired, I'm fairly confident in the change, but a real R2 smoke test from someone who hits this issue would be a good confirmation before merge.Fixes #23029
This PR was generated with Claude Opus 4.8, based on my own review of the issue thread and the S3 client construction code.