STS and PutBucketAsync with version AWSSDK.Core (4.0.0.21), AWSSDK.S3 (4.0.6.4), AWSSDK.SecurityToken (4.0.1.9)

[ZakiShaikhOpen]

Hi ,

I am trying to create bucket with STS credential, but I am getting following error :
Amazon.S3.AmazonS3Exception: 'The request signature we calculated does not match the signature you provided. Check your key and signing method.'

I have used AWSSDK.Core (4.0.0.21), AWSSDK.S3 (4.0.6.4), AWSSDK.SecurityToken (4.0.1.9)

Please advise me on it.

Thank you!

[muhammad-othman]

Hi @ZakiShaikhOpen, Can you provide mode details about the operations that you used when facing this issue?
Also can you turn on logging via

   AWSConfigs.LoggingConfig.LogResponses =ResponseLoggingOption.Always;
   AWSConfigs.LoggingConfig.LogMetrics = true;
   AWSConfigs.LoggingConfig.LogTo = LoggingOptions.Console; 

And provide the logs after removing the sensitive parts.

[ZakiShaikhOpen]

Hi Othman, I am attaching the code which I am using and getting error. I have changed the sensitive parts from this. Thank you for your support.

…

On Tue, Aug 26, 2025 at 3:03 AM Muhammad Othman ***@***.***> wrote: Hi @ZakiShaikhOpen <https://github.com/ZakiShaikhOpen>, Can you provide mode details about the operations that you used when facing this issue? Also can you turn on logging via AWSConfigs.LoggingConfig.LogResponses =ResponseLoggingOption.Always; AWSConfigs.LoggingConfig.LogMetrics = true; AWSConfigs.LoggingConfig.LogTo = LoggingOptions.Console; And provide the logs after removing the sensitive parts. — Reply to this email directly, view it on GitHub <#3967 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BTVLS5G2TKLYOLQRQ2UBI2D3PN6LXAVCNFSM6AAAAACEKH742OVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTIMRRGQ4DQMQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[sankettangade]

Hi @ZakiShaikhOpen,
Can you add the code here? Could not find the code attached if you have already.

Thanks

[ZakiShaikhOpen]

Hi Sanket, Please find attached inline code using System; using System.Collections.Generic; using System.Linq; using System.Net; using System.Net; using System.Threading; using System.Threading.Tasks; using Amazon.S3; using Amazon.S3.Model; namespace STS_Copilot { public class A { private readonly IAmazonS3 _s3; public A(IAmazonS3 s3) => _s3 = s3; public async Task<bool> CreateBucketWithSTSAsync(string bucketName, CancellationToken ct = default) { // Use the client region for the bucket’s LocationConstraint (handles us-east-1 quirk) var req = new PutBucketRequest { BucketName = bucketName, UseClientRegion = true }; var resp = await _s3.PutBucketAsync(req, ct); return resp.HttpStatusCode == HttpStatusCode.OK; } } } ============== // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Threading.Tasks; using Amazon.Runtime; using Amazon.SecurityToken; using Amazon.SecurityToken.Model; namespace STS_Copilot { public class B { private readonly IAmazonSecurityTokenService _sts; public B(IAmazonSecurityTokenService sts) => _sts = sts; public async Task<SessionAWSCredentials> AssumeS3RoleAsync( string roleArn, string roleSessionName, int durationSeconds = 900, CancellationToken ct = default) { var resp = await _sts.AssumeRoleAsync(new AssumeRoleRequest { RoleArn = roleArn, RoleSessionName = roleSessionName, DurationSeconds = durationSeconds }, ct); var c = resp.Credentials; return new SessionAWSCredentials(c.AccessKeyId, c.SecretAccessKey, c.SessionToken); } } } ======================= // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 using System; using System.Threading.Tasks; using Amazon; using Amazon.S3; using Amazon.SecurityToken; using STS_Copilot; Console.WriteLine("Hello, World!"); // Choose your regions var stsRegion = RegionEndpoint.USEast1; // STS is global, any region works; pick one and be consistent var s3Region = RegionEndpoint.USEast1; // Bucket’s desired region // Base (long-lived) credentials used to assume the role using var stsClient = new AmazonSecurityTokenServiceClient("AKIA6B993434YVBT2MR", "whl9sidlJ/9991Mm1zMnTIqwaB2esKhvb/r3tHrG", stsRegion); // Assume role and wrap in session credentials var b = new B(stsClient); var sessionCreds = await b.AssumeS3RoleAsync("arn:aws:iam::9643434981156:role/storeC679A5F9-317D-48EC-8C28-89E5CD23EBE3", "tmp-session"); // Create S3 client in the SAME region you want the bucket using var s3Client = new AmazonS3Client(sessionCreds, s3Region); // Optional: sanitize/validate bucket name before creating var bucketName = S3BucketNameHelper.SanitizeBucketName(" storeC679A5F9-317D-48EC-8C28-89E5CD23EBE3 "); bucketName= "development-invofy-bucket/" + bucketName; // Create bucket var a = new A(s3Client); var created = await a.CreateBucketWithSTSAsync(bucketName); Console.WriteLine(created ? "Bucket created." : "Bucket not created."); =========== // Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 using System; using System.Collections.Generic; using System.Linq; using System.Text; using System.Text.RegularExpressions; using System.Threading.Tasks; namespace STS_Copilot { public static class S3BucketNameHelper { private static readonly Regex ValidPattern = new(@"^[a-z0-9](?:[a-z0-9\-\.]{1,61})[a-z0-9]$", RegexOptions.Compiled); public static string SanitizeBucketName(string input) { if (string.IsNullOrWhiteSpace(input)) throw new ArgumentException("Bucket name cannot be empty."); var name = input.ToLowerInvariant(); // Replace invalid chars with hyphen name = Regex.Replace(name, @"[^a-z0-9\-\.]", "-"); // Collapse runs of dots/hyphens name = Regex.Replace(name, @"[\.-]{2,}", "-"); // Trim invalid start/end name = Regex.Replace(name, @"^[^a-z0-9]+", ""); name = Regex.Replace(name, @"[^a-z0-9]+$", ""); // Length constraints if (name.Length > 63) name = name.Substring(0, 63); if (name.Length < 3) name = name.PadRight(3, 'a'); // Avoid IP address form if (Regex.IsMatch(name, @"^\d{1,3}(\.\d{1,3}){3}$")) name = "bucket-" + name.Replace(".", "-"); if (!ValidPattern.IsMatch(name) || name.Contains("-.") || name.Contains(".-")) throw new ArgumentException($"'{input}' cannot be sanitized to a valid S3 bucket name."); return name; } } }

…

On Wed, Sep 3, 2025 at 2:11 AM Sanket T ***@***.***> wrote: Hi @ZakiShaikhOpen <https://github.com/ZakiShaikhOpen>, Can you add the code here? Could not find the code attached if you have already. Thanks — Reply to this email directly, view it on GitHub <#3967 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BTVLS5D57LFSF4TDCDSDK633QX6IBAVCNFSM6AAAAACEKH742OVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTIMRYHE2TSNI> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[sankettangade]

Hi @ZakiShaikhOpen,

Thank you for the code. After investigating , the issue seems to be related to S3 bucket naming conventions in this line:

bucketName = "development-invofy-bucket/" + bucketName;

Potential Issues:

1. Forward slash character: S3 bucket names cannot contain forward slashes (/)
2. Bucket name length: The total bucket name length could not exceed the 63-character limit

Recommended Solutions:

• Replace the forward slash with a hyphen: "development-invofy-bucket-" + bucketName
• Ensure the final bucket name is under 63 characters by reducing the prefix length if needed

These naming violations causes AWS to reject the bucket creation request during signature validation, resulting in the signature mismatch error you're experiencing.

Reference: AWS S3 Bucket Naming Rules - https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html

Please try these changes and let us know if the issue persists.

[ZakiShaikhOpen]

Hi Sanket, Thank you for the reply. bucketName= "development-invofy-bucket/" + bucketName; So "development-invofy-bucket/" this is the path. Under that I have to create a folder. Thanks,

…

On Wed, Sep 3, 2025 at 10:44 PM Sanket T ***@***.***> wrote: Hi @ZakiShaikhOpen <https://github.com/ZakiShaikhOpen>, Thank you for the code. After investigating , the issue could be related to S3 bucket naming conventions in this line: bucketName = "development-invofy-bucket/" + bucketName; *Potential Issues:* 1. *Forward slash character*: S3 bucket names cannot contain forward slashes (/) 2. *Bucket name length*: The total bucket name length could not exceed the 63-character limit *Recommended Solutions:* - Replace the forward slash with a hyphen: "development-invofy-bucket-" + bucketName - Ensure the final bucket name is under 63 characters by reducing the prefix length if needed These naming violations causes AWS to reject the bucket creation request during signature validation, resulting in the signature mismatch error you're experiencing. *Reference:* AWS S3 Bucket Naming Rules - <https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html> https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucketnamingrules.html Please try these changes and let us know if the issue persists. — Reply to this email directly, view it on GitHub <#3967 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BTVLS5CAK7GNAORTAH2J73D3Q4OXJAVCNFSM6AAAAACEKH742OVHI2DSMVQWIX3LMV43URDJONRXK43TNFXW4Q3PNVWWK3TUHMYTIMRZHA3DKMI> . You are receiving this because you were mentioned.Message ID: ***@***.***>