S3:GetBucketLocation throws AuthorizationHeaderMalformed when using cross-account roles

[david-dreyer]

Description

We have an application that assumes a role in other AWS accounts, and performs actions on those accounts such as getting information about buckets in S3.

When calling GetBucketLocationAsync, if the bucket is in a different region than the client, the client will throw an exception:

AuthorizationHeaderMalformed: The authorization header is malformed; the region 'us-east-1' is wrong; expecting 'us-west-2' status code: 400

Where in the above, 'us-east-1' is the region the client is for, and 'us-west-2' is the region of the bucket. It is unclear as to whether this always happens, or happens periodically. We saw it happen in the past, and then it seemed to have stopped, and then started happening again last week.

This also seems to have been an issue with the Go SDK in the past, as seen here:
aws/aws-sdk-go#380

The same exact workaround, setting ForcePathStyle = true on the client, makes this exception go away. However, I'm not sure if there's any possibly unintended side effects of doing that, and also it doesn't seem like that should be required in the first place.

Reproduction Steps

1. Make role in Account A that gives access to s3:GetBucketLocation, and allow that role to be assumed by Account B
2. Running a C# application In Account B, assume that role, and create an IAmazonS3 client using those credentials
3. Perform the GetBucketLocationAsync call on the client, directed at a bucket in Account A
4. See exception that occurs.
5. Make another IAmazonS3 client with those credentials, also specifying ForcePathStyle = true
6. Perform the same GetBucketLocationAsync call on the client, directed at a bucket in Account A
7. See that no exception occurs.

Environment

We are currently on a slightly outdated version of the SDK, but it doesn't appear that anything has changed that would have fixed this. I very well could be wrong with that statement, though, so please correct me if it has been.

• SDK Version: AWSSDK.Core 3.5.1.35
• Package Version: AWSSDK.S3 3.5.4
• OS Info: AmazonLinux
• Build Environment: dotnet command line inside AmazonLinux as part of Dockerfile
• Targeted .NET Platform: Linux x64

---

This is a 🐛 bug-report

[david-dreyer]

Further information -- it definitely appears to be a periodic issue, as it isn't happening right now, but was happening Friday afternoon. Same exact code in our application.

[ashishdhingra]

Hi @Dreyerized,

Good afternoon.

Would it be possible for you to share a sample code to reproduce the issue? Also confirm if this is still an issue.

Thanks,
Ashish

[github-actions]

This issue has not recieved a response in 2 weeks. If you want to keep this issue open, please just leave a comment below and auto-close will be canceled.

[NJ261]

I am having the same issue. The task is to filter the buckets based on selected region (from user). It works fine for the default region: us-east-1 but when I change the region, I get the error: The authorization header is malformed; the region 'us-east-1' is wrong; expecting 'eu-north-1'. This is the sample code.

var client = new AmazonS3Client(accessKey, secretKey, RegionEndpoint.GetBySystemName(selectedRegion))
var buckets = client.ListBuckets().Buckets;

buckets.ForEach(item => {
    var location = GetBucketLocation(client, item.BucketName);
    ...
    if (location == selectedRegion)
    {
        result.Add(item);
    }
    ...
});

private string GetBucketLocation(IAmazonS3 client, string bucketName) 
{
    GetBucketLocationRequest request = new GetBucketLocationRequest { BucketName = bucketName };
    GetBucketLocationResponse response = client.GetBucketLocation(request);
    return response.Location;
}

Environment
SDK Version: AWSSDK.Core 3.7.6
Package Version: AWSSDK.S3 3.7.7.14
OS Info: Windows 2019 Server

[d79ima]

Seeing exactly same issue as @NJ261 and @david-dreyer mentioned above using code snippet that @NJ261 provided.
Works fine for default region of us-east-1 and actually works fine for some other region, but only the very first time i call GetBucketLocation for the run of the application. if i call it on subsequent times with a mismatching region, then it will fail as mentioned above.