Skip to content

fix(aws_s3 sink): restrict checksum calculation to fix R2 InvalidRequest#25803

Open
Socialpranker wants to merge 1 commit into
vectordotdev:masterfrom
Socialpranker:fix/23029-s3-r2-invalidrequest
Open

fix(aws_s3 sink): restrict checksum calculation to fix R2 InvalidRequest#25803
Socialpranker wants to merge 1 commit into
vectordotdev:masterfrom
Socialpranker:fix/23029-s3-r2-invalidrequest

Conversation

@Socialpranker

Copy link
Copy Markdown

The S3 sink always attaches its own Content-MD5 header to every PutObject request. The AWS SDK for Rust separately defaults to calculating and attaching an x-amz-checksum-* request checksum on every request too, a behavior change described in awslabs/aws-sdk-rust#1240. Standard AWS S3 tolerates both headers at once, but Cloudflare R2 rejects the combination with InvalidRequest: You can only specify one non-default checksum at a time, which matches the debug output in this issue exactly (content-md5, x-amz-checksum-crc32, and x-amz-sdk-checksum-algorithm all present on the same request).

This sets request_checksum_calculation and response_checksum_validation to WhenRequired on the S3ClientBuilder used by both the aws_s3 sink and source, so the SDK stops adding its own checksum on top of Vector's existing Content-MD5. This is the exact setting AWS recommends for compatibility with S3-compatible providers, so AWS S3 behavior is unaffected while R2 (and similar services) should stop seeing the conflicting headers.

I verified this with a unit test that builds a client through S3ClientBuilder and asserts the resulting config carries WhenRequired for both settings, plus cargo check, cargo clippy, and cargo fmt on the touched crate, and the existing aws_s3 sink/source unit test suite (all passing). I don't have a Cloudflare R2 account, so I could not run this against a live R2 endpoint. Given the fix only removes headers the SDK adds unconditionally, and standard AWS S3 already supports WhenRequired, I'm fairly confident in the change, but a real R2 smoke test from someone who hits this issue would be a good confirmation before merge.

Fixes #23029

This PR was generated with Claude Opus 4.8, based on my own review of the issue thread and the S3 client construction code.

The AWS SDK for Rust defaults to always adding an x-amz-checksum-* request
checksum and validating response checksums (aws-sdk-rust#1240). Vector's S3
sink already sends its own explicit Content-MD5 header on every PutObject
request, so this SDK-added checksum is redundant against AWS S3, and
Cloudflare R2 rejects the combination outright with:

  InvalidRequest: You can only specify one non-default checksum at a time.

Set request_checksum_calculation and response_checksum_validation to
WhenRequired in S3ClientBuilder (shared by the aws_s3 sink and source),
matching AWS's own guidance for S3-compatible endpoints.

Verified with a unit test asserting the built client's config carries
WhenRequired for both settings, plus cargo check/clippy/fmt and the existing
aws_s3 sink/source unit test suite. Not verified against a live R2 endpoint
since no R2 credentials were available; the fix follows the exact mechanism
AWS documented for this incompatibility class.

Generated with Claude Opus 4.8.

Fixes vectordotdev#23029

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@Socialpranker Socialpranker requested a review from a team as a code owner July 11, 2026 05:55
@github-actions

Copy link
Copy Markdown
Contributor

Thank you for your contribution! Before we can merge this PR, please sign our Contributor License Agreement.

To sign, copy and post the phrase below as a new comment on this PR.

Note: If the bot says your username was not found, the email used in your git commit may not be linked to your GitHub account. Fix this at github.com/settings/emails, then comment recheck to retry.


I have read the CLA Document and I hereby sign the CLA


You can retrigger this bot by commenting recheck in this Pull Request. Posted by the CLA Assistant Lite bot.

@datadog-vectordotdev

Copy link
Copy Markdown

Pipelines

⚠️ Warnings

🚦 1 Pipeline job failed

CLA Assistant | CLAAssistant   View in Datadog   GitHub Actions

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: 8f20194 | Docs | Give us feedback!

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8f20194306

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src/common/s3.rs
// See https://github.com/vectordotdev/vector/issues/23029 and
// https://github.com/awslabs/aws-sdk-rust/issues/1240.
.request_checksum_calculation(RequestChecksumCalculation::WhenRequired)
.response_checksum_validation(ResponseChecksumValidation::WhenRequired);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Keep S3 response validation enabled for AWS downloads

When the aws_s3 source reads from real AWS S3, its get_object() call does not set checksum_mode(Enabled) (src/sources/aws_s3/sqs.rs:677-680). Setting ResponseChecksumValidation::WhenRequired here tells the SDK to validate only when the caller explicitly enables checksums, so source downloads lose the SDK's default response checksum validation and can accept a corrupted object body that would previously fail while being read. The R2 failure is caused by the extra request checksum on PutObject, so response validation should be left at the default or disabled only for the compatible-endpoint case.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

InvalidRequest error when using S3 sink to CloudFlare R2

1 participant