The PII redaction succeeds when the S3 get is done from the console, as described in the corresponding tutorial. But from the AWS CLI it fails:
aws s3api get-object --bucket arn:aws:s3-object-lambda:us-west-2:012345678901:accesspoint/my-redacted-bucket-name --key pii-lambda-test/tutorial.txt /tmp/baz
The error is:
botocore.exceptions.ClientError: An error occurred (SignatureDoesNotMatch) when calling the GetObject operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.
Debugging the lambda, I can see that the code is not correctly including x-amz- headers like x-amz-checksum-mode when calling the presigned URL. The issue doesn't happen from the console because it is not calculating a checksum on the payload, but other SDKs do. This is due to a logic error in S3Client._filter_request_headers(). I've tested a fix and will submit a PR.
The PII redaction succeeds when the S3 get is done from the console, as described in the corresponding tutorial. But from the AWS CLI it fails:
The error is:
Debugging the lambda, I can see that the code is not correctly including
x-amz-headers likex-amz-checksum-modewhen calling the presigned URL. The issue doesn't happen from the console because it is not calculating a checksum on the payload, but other SDKs do. This is due to a logic error inS3Client._filter_request_headers(). I've tested a fix and will submit a PR.