SignatureV4 not setting "x-amz-content-sha256" header for OpenSearch Serverless requests

[juniortads]

Describe the bug

When using the AWS SDK for PHP's SignatureV4 class with OpenSearch Serverless (AOSS), the x-amz-content-sha256 header is not automatically added to requests. This results in 403 Forbidden errors when making requests to AOSS endpoints, as this header is required by the service for proper authentication, even for requests without a body (like HEAD requests).

The issue appears to be in the SignatureV4 class logic, where the header is only added when the unsigned-body option is explicitly set to true, despite the request using HTTPS.

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

The SignatureV4 class should automatically add the x-amz-content-sha256 header with the value UNSIGNED-PAYLOAD for requests to OpenSearch Serverless endpoints, especially for requests without a body (like HEAD requests).

Alternatively, the SDK should clearly document that the unsigned-body option must be set to true for services like OpenSearch Serverless that require this header.

Current Behavior

When making requests to OpenSearch Serverless endpoints, the x-amz-content-sha256 header is not included in the request by default, resulting in 403 Forbidden errors. This happens because the $this->unsigned property in the SignatureV4 class is false by default, and the condition to set the header is not met.

Reproduction Steps

1. Create a PHP script with the following code:

use GuzzleHttp\Client;
use GuzzleHttp\Psr7\Request;
use Aws\Credentials\CredentialProvider;
use Aws\Signature\SignatureV4;

// Set up credentials and client
$provider = CredentialProvider::defaultProvider();
$credentials = $provider()->wait();
$httpClient = new Client();

// Set up request to OpenSearch Serverless
$region = 'us-east-1';
$endpoint = 'https://your-collection-endpoint.aoss.amazonaws.com';
$indexName = 'your-index';

// Create and sign the request
$checkRequest = new Request('HEAD', $endpoint . '/' . $indexName);
$signer = new SignatureV4('aoss', $region);
$signedCheckRequest = $signer->signRequest($checkRequest, $credentials);

// Send the request
$checkResponse = $httpClient->send($signedCheckRequest);

2. Run the script
3. Observe the 403 Forbidden error

Possible Solution

1. Explicitly set the unsigned-body option to true:

$signer = new SignatureV4('aoss', $region, ['unsigned-body' => true]);

This forces the SignatureV4 class to use UNSIGNED-PAYLOAD as the payload value and add the x-amz-content-sha256 header.

2. Manually add the header before signing the request:

$checkRequest = $checkRequest->withHeader('X-Amz-Content-Sha256', 'UNSIGNED-PAYLOAD');
$signer = new SignatureV4('aoss', $region);
$signedCheckRequest = $signer->signRequest($checkRequest, $credentials);

This explicitly adds the required header with the correct value before the request is signed.

Either of these approaches will resolve the 403 Forbidden error when working with OpenSearch Serverless endpoints.

Additional Information/Context

Questions

1. Is this the expected behavior of the SignatureV4 class, or is it a bug?
2. Should the unsigned-body option be set to true by default for certain services like OpenSearch Serverless?
3. Would it make sense to have a list of services that require the x-amz-content-sha256 header and automatically set it for those services?
4. Is there a more elegant approach to handle this issue than the workarounds I've identified?

SDK version used

PHP: 8.4.10

Environment details (Version of PHP (php -v)? OS name and version, etc.)

AWS SDK for PHP: 3.349.2 | OpenSearch PHP Client: 2.4.3 | GuzzleHTTP: 7.9.3

[yenfryherrerafeliz]

Hi @juniortads, The SignatureV4 implementation works along with other components in our SDK client lifecycle, so that if a service operation requires to be an unsigned payload then it will do so. For example, by validating the signature version of the service, etc. Example here, where our base client implementations tries to resolve which one will be the type of signature to be used for the request. In this case, while you are using our SignatureV4 implementation to sign a request, which is valid and allowed, the request is being performed by a HTTP client, which is outside of the operations we control within the SDK. Also, SignatureV4 can be customized as you are doing right now, by passing the right options you will get the behavior you expect.

Here are the specific answers to your questions:

• Is this the expected behavior of the SignatureV4 class, or is it a bug?
  • It is not a bug.
• Should the unsigned-body option be set to true by default for certain services like OpenSearch Serverless?
  • SignatureV4 implementation is service agnostic, which it does not know which service it is, but instead, it receives some options to control which one is the desired behavior and output.
• Would it make sense to have a list of services that require the x-amz-content-sha256 header and automatically set it for those services?
  • We already do this, but within the SDK Client operations lifecycle. If a service operation requires to be UNSIGNED-PAYLOAD, we will use the SignatureV4 with this option enabled.
• Is there a more elegant approach to handle this issue than the workarounds I've identified?
  • Actually, if using the implementation independently then, it is the correct way to do it.

I hope this helps!

Thanks!

[juniortads]

Thank you for the quick response, but I still have a question about:

"We already do this, but within the SDK Client operations lifecycle. If a service operation requires to be UNSIGNED-PAYLOAD, we will use the SignatureV4 with this option enabled"

Is there a way to enable the service client so that it can always send this configuration? My question is whether there is any other simpler option where I can do this just once and not every time I create an instance of SignatureV4.

[yenfryherrerafeliz]

@juniortads, you can just create a custom implementation that extends ours and default the unsigned-body option to true.
Example:

<?php

use Aws\Signature\SignatureV4;

class MySignatureV4 extends SignatureV4
{
    public function __construct($service, $region, array $options = ['unsigned-body' => true])
    {
        parent::__construct($service, $region, $options);
    }
}

I hope this helps.

Thanks!

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.