Importing files from Amazon S3 buckets on VCF 8.x fails with error 403 forbidden on the vCenter content library.
search cancel

Importing files from Amazon S3 buckets on VCF 8.x fails with error 403 forbidden on the vCenter content library.

book

Article ID: 391688

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • When importing files from Amazon S3 buckets on the vCenter a Banner message failure will be observed and there an intervention to proceed with accepting the header message.
  • It will be observed that the on vSphere 8.x the import will fail after the header message while on 7.x it works fine.  

 

Environment

vSphere 8.0 u3 

Cause

  • When using the AWS S3 bucket URL for importing the image, it will be seen that the logs might report signature mismatch on the cls.log like the following: 

2025-02-28T10:00:22.777Z | DEBUG    | 53e383dd-f797-929b-9671-29e9c43c8662-b9-5f | cls-simple-activity-5     | UpdateSessionServiceImpl       | failing update session 7d003ad2-9cfe-4a16-993f-07727a2bf221 with error message Error transferring file Teplate.ova from https://s3-bucketname.myorg.com:8443/path//images/Template.ova?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=c9d1e8f5a2b7g6h3i4j0%2F20241115%2Fus-west%2Fs3%2Faws4_request&X-Amz-Date=20250228T092134Z&X-Amz-Expires=36000&X-Amz-SignedHeaders=host&X-Amz-Signature=a7b2c8d3e9f4g1h5i6j0k9l8m7n6o5p4q3r2s1t0u9v8w7x6y5z4A3B2C1D0E9F8G7H6I5J4K3L2M1N0. Reason: Invalid response code: 403
2025-02-28T10:00:22.778Z | DEBUG    | 53e383dd-f797-929b-9671-29e9c43c8662-b9-5f | cls-simple-activity-5     | SimpleActivityExecutor         | submitting activity CompleteTaskActivity (priority=NORMAL, phase=phaseBegin()
2025-02-28T10:00:22.778Z | DEBUG    | 3ac89e61-a0cf-9568-9e1b-505544955955-ce-8a | cls-simple-activity-11    | UpdateSessionServiceImpl       | Update session cd264778-5f37-4ae8-b7ab-77dd78743cb7: File/TransferStatus/BytesTransferred = Template.ova/ERROR/0
2025-02-28T10:00:22.778Z | ERROR    | 3ac89e61-a0cf-9568-9e1b-505544955955-ce-8a | cls-simple-activity-11    | UpdateSessionServiceImpl       | file Template.ova part of update session cd264778-5f37-4ae8-b7ab-77dd78743cb7 (transfer session urn:transfer:89682f2c6b08aaa47dde497d437e8220) was not properly received from the source. Failing the update session. Source state: Transfer
EndpointState (com.vmware.transfer.transfer_endpoint_state) => {
    uri = https://s3-bucketname.myorg.com:8443/path//images/Template.ova?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=c9d1e8f5a2b7g6h3i4j0%2F20241115%2Fus-west%2Fs3%2Faws4_request&X-Amz-Date=20250228T092134Z&X-Amz-Expires=36000&X-Amz-SignedHeaders=host&X-Amz-Signature=a7b2c8d3e9f4g1h5i6j0k9l8m7n6o5p4q3r2s1t0u9v8w7x6y5z4A3B2C1D0E9F8G7H6I5J4K3L2M1N0,
    name = <null>,
    sizeInBytes = <null>,
    bytesTransferred = 0,
    storageUsed = <null>,
    status = ERROR,
    statusCode = 403,
    error = TransferError (com.vmware.transfer.transfer_error) => {
        message = Invalid response code: 403,
        kind = PROTOCOL,
        peerSslThumbprint = <null>,
        sslCertificate = <null>,
        actualChecksum = <null>,
        expectedChecksum = <null>,
        protocolMessage = <?xml version="1.0" encoding="UTF-8"?><Error><Code>SignatureDoesNotMatch</Code><Message>StorageFabric: Client provided signature does not match server calculated signature</Message><Resource></Resource><RequestId></RequestId><HostId>icpnwc201100</HostId></Error>
    },
    content = <null>,
    checksumAlgorithm = <null>,
    checksum = <null>,
    storagePolicyId = <null>
}.

  • The Customer might have a S3 bucket with a pre-signed URL in the following manner: 

https://s3-bucketname.myorg.com:8443/path//images/Template.ova?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ae467cf03736a7904dd0%2F20250228%2Fna-west%2Fs3%2Faws4_request&X-Amz-Date=20250228T092134Z&X-Amz-Expires=36000&X-Amz-SignedHeaders=host&X-Amz-Signature=a7b2c8d3e9f4g1h5i6j0k9l8m7n6o5p4q3r2s1t0u9v8w7x6y5z4A3B2C1D0E9F8G7H6I5J4K3L2M1N0

  • In the above URL:
    • The highlight in blue represents the Bucket name 
    • The highlight in light purple represents the sub directory path to the Template.ova 
    • The Yellow represents the pre-singed signature 
  • It was observed that path on the URL to the ova had a sub directory name with "/images" which induces two slashes on the URL. This causes the failure on vSphere 8.x while this might be not be observed on 7.x 

 

Kindly Note: The signature value and URL mentioned here are arbitrary values taken for the sake of this kb. The actual URL will vary on on the Customer's infra and the signature will be dynamic.

Resolution

  • This is an expected behavior on vSphere 8.x 
  • The resolution would be is to rename the directory without the "/" appended before its name. 
Powered by Wolken Software