boto3 v4 SignatureDoesNotMatch failure due to sorting of sse-kms headers
The following boto3 request fails against rgw with SignatureDoesNotMatch:
boto3 debug logs show it sorting the server side encryption headers as:
while radosgw logs show the opposite sort:
x-amz-server-side-encryption-aws-kms-key-id:testkey x-amz-server-side-encryption:aws:kmsAmazon docs for v2 and v4 auth both make it clear that the headers should be sorted by name before appending the : and header values:
This sorting behavior in radosgw was changed recently in https://github.com/ceph/ceph/pull/18046 for http://tracker.ceph.com/issues/21607, because of v4 signature failures observed against boto2 in s3tests. But boto2's behavior has been reported as a defect in https://github.com/boto/boto/pull/3032.