When get_artifact is called with a Buildkite artifact download URL, the tool calls the Buildkite REST API which returns a 302 redirect to an S3 presigned URL. The go-buildkite HTTP client used in the MCP impl then fetches that presigned URL with the bearer token auth header added, which S3 rejects.
The error looks like this:
<Error>
<Code>InvalidArgument</Code>
<Message>Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter, Signature query string parameter or the Authorization header should be specified</Message>
<ArgumentName>Authorization</ArgumentName>
<ArgumentValue>Bearer bkua_...</ArgumentValue>
</Error>I believe the root cause is that go-buildkite is always adding the bearer token auth header, but that only makes sense when talking to buildkite APIs, not S3.
When
get_artifactis called with a Buildkite artifact download URL, the tool calls the Buildkite REST API which returns a 302 redirect to an S3 presigned URL. The go-buildkite HTTP client used in the MCP impl then fetches that presigned URL with the bearer token auth header added, which S3 rejects.The error looks like this:
I believe the root cause is that go-buildkite is always adding the bearer token auth header, but that only makes sense when talking to buildkite APIs, not S3.