🐛 Bug Report: GCS S3 Compatibility: SignatureDoesNotMatch error with AWS SDK v2 (v1.16.0) #561

New Issue

Closed

opened 2026-02-04 20:28:04 +03:00 by OVERLORD · 1 comment

OVERLORD commented 2026-02-04 20:28:04 +03:00

Owner

Copy Link

Originally created by @plotikai on GitHub (Dec 6, 2025).

Reproduction steps

Hey team, I've spent a bunch of time trying to implement this with ai with no success, I got it to write what ive been trying and looking for help here. Forgive me as im just a humble vibecoding homelabber trying to get this running

Description

The application fails to initialize when configured to use Google Cloud Storage (GCS) as the S3 backend, failing with a SignatureDoesNotMatch error. This occurs despite valid credentials and correct region configuration verified via other tools.

Steps to Reproduce

1. Create a Google Cloud Storage bucket (e.g., in us-east1).
2. Generate HMAC keys (Access Key and Secret) for a Service Account with object admin permissions.
3. Configure the Pocket-ID container with the following environment variables:

   FILE_BACKEND=s3
   S3_ENDPOINT=https://storage.googleapis.com
   S3_BUCKET=<your-bucket-name>
   S3_REGION=us-east1
   S3_ACCESS_KEY_ID=<HMAC_KEY_ID>
   S3_SECRET_ACCESS_KEY=<HMAC_SECRET>
   S3_FORCE_PATH_STYLE=true # Issue persists with false as well
   

4. Start the container (docker compose up).

Troubleshooting Performed

1. Credential Verification: I verified the HMAC credentials and bucket access using a standalone Python script with boto3 from the same machine. The script successfully listed objects in the bucket using us-east-1 (and us-east1), confirming network access and permissions are correct.
2. Region Variations:
   • us-east1 (Correct GCS region for my bucket): Result SignatureDoesNotMatch.
   • us-east-1: Result SignatureDoesNotMatch.
   • auto: Result SignatureDoesNotMatch.
   • Empty (S3_REGION=): Result A region must be set.
3. Path Style: Toggled S3_FORCE_PATH_STYLE between true and false. The error persists (though false is generally recommended for GCS).

Analysis

The error operation error S3: ListObjectsV2 suggests the application is using AWS SDK for Go v2. GCS S3 interoperability has known issues with AWS SDK v2's default behavior, particularly regarding:

1. ListObjectsV2: GCS has limited support for this API compared to V1.
2. Header Handling: The Go SDK v2 often includes headers (like Accept-Encoding) in the signature calculation that GCS does not expect, causing the signature mismatch.

It seems the current implementation prevents GCS from being used as a backend. Support for GCS (handling the specific header quirks or falling back to ListObjectsV1) would be greatly appreciated.

Expected behavior

The application should successfully authenticate with the S3-compatible GCS endpoint, initialize the storage backend, and start up.

Actual Behavior

The application fails to start and enters a restart loop. The logs show a 403 Forbidden error with SignatureDoesNotMatch during the ListObjectsV2 operation:

Pocket ID Version

1.16.0

Database

PostgreSQL 17.6

OS and Environment

Ubuntu 24.04.3 LTS, Docker v29.0.2, Docker Compose v2.40.3
Traefik v3.6.1

Log Output

ERR Failed to run pocket-id app=pocket-id version=1.16.0 error="failed to initialize application images: failed to list application images: operation error S3: ListObjectsV2, https response error StatusCode: 403, RequestID: <ID>, HostID: <ID>, api error SignatureDoesNotMatch: Access denied."

Originally created by @plotikai on GitHub (Dec 6, 2025). ### Reproduction steps Hey team, I've spent a bunch of time trying to implement this with ai with no success, I got it to write what ive been trying and looking for help here. Forgive me as im just a humble vibecoding homelabber trying to get this running ## Description The application fails to initialize when configured to use Google Cloud Storage (GCS) as the S3 backend, failing with a `SignatureDoesNotMatch` error. This occurs despite valid credentials and correct region configuration verified via other tools. ## Steps to Reproduce 1. Create a Google Cloud Storage bucket (e.g., in `us-east1`). 2. Generate HMAC keys (Access Key and Secret) for a Service Account with object admin permissions. 3. Configure the Pocket-ID container with the following environment variables: ```bash FILE_BACKEND=s3 S3_ENDPOINT=https://storage.googleapis.com S3_BUCKET=<your-bucket-name> S3_REGION=us-east1 S3_ACCESS_KEY_ID=<HMAC_KEY_ID> S3_SECRET_ACCESS_KEY=<HMAC_SECRET> S3_FORCE_PATH_STYLE=true # Issue persists with false as well ``` 4. Start the container (`docker compose up`). ## Troubleshooting Performed 1. **Credential Verification**: I verified the HMAC credentials and bucket access using a standalone Python script with `boto3` from the same machine. The script **successfully** listed objects in the bucket using `us-east-1` (and `us-east1`), confirming network access and permissions are correct. 2. **Region Variations**: * `us-east1` (Correct GCS region for my bucket): Result `SignatureDoesNotMatch`. * `us-east-1`: Result `SignatureDoesNotMatch`. * `auto`: Result `SignatureDoesNotMatch`. * Empty (`S3_REGION=`): Result `A region must be set`. 3. **Path Style**: Toggled `S3_FORCE_PATH_STYLE` between `true` and `false`. The error persists (though `false` is generally recommended for GCS). ## Analysis The error `operation error S3: ListObjectsV2` suggests the application is using AWS SDK for Go v2. GCS S3 interoperability has known issues with AWS SDK v2's default behavior, particularly regarding: 1. **ListObjectsV2**: GCS has limited support for this API compared to V1. 2. **Header Handling**: The Go SDK v2 often includes headers (like `Accept-Encoding`) in the signature calculation that GCS does not expect, causing the signature mismatch. It seems the current implementation prevents GCS from being used as a backend. Support for GCS (handling the specific header quirks or falling back to ListObjectsV1) would be greatly appreciated. ### Expected behavior The application should successfully authenticate with the S3-compatible GCS endpoint, initialize the storage backend, and start up. ### Actual Behavior The application fails to start and enters a restart loop. The logs show a 403 Forbidden error with `SignatureDoesNotMatch` during the `ListObjectsV2` operation: ### Pocket ID Version 1.16.0 ### Database PostgreSQL 17.6 ### OS and Environment Ubuntu 24.04.3 LTS, Docker v29.0.2, Docker Compose v2.40.3 Traefik v3.6.1 ### Log Output ``` ERR Failed to run pocket-id app=pocket-id version=1.16.0 error="failed to initialize application images: failed to list application images: operation error S3: ListObjectsV2, https response error StatusCode: 403, RequestID: <ID>, HostID: <ID>, api error SignatureDoesNotMatch: Access denied." ```

OVERLORD closed this issue 2026-02-04 20:28:06 +03:00

OVERLORD commented 2026-02-04 20:28:18 +03:00

Author

Owner

Copy Link

@stonith404 commented on GitHub (Dec 17, 2025):

Thanks for the bug report. This seems like a common issue with the new AWS SDK: https://github.com/aws/aws-sdk-go-v2/issues/1816.

We would have to implement a custom middleware that ignores the Accept-Encoding header for GCS. In my opinion it's not worth to implement custom logic for a specific S3 provider, this should rather be fixed by Google or Amazon.

Here are the changes that would be necessary to add support for GCS to Pocket ID. If you really need GCS compatibility you can fork the project and apply those changes:
GCS compatibility.patch

@stonith404 commented on GitHub (Dec 17, 2025): Thanks for the bug report. This seems like a common issue with the new AWS SDK: https://github.com/aws/aws-sdk-go-v2/issues/1816. We would have to implement a custom middleware that ignores the `Accept-Encoding` header for GCS. In my opinion it's not worth to implement custom logic for a specific S3 provider, this should rather be fixed by Google or Amazon. Here are the changes that would be necessary to add support for GCS to Pocket ID. If you really need GCS compatibility you can fork the project and apply those changes: [GCS compatibility.patch](https://github.com/user-attachments/files/24210562/GCS.compatibility.patch)

OVERLORD referenced this issue 2026-02-04 20:57:25 +03:00

[PR #561] [MERGED] chore(translations): update translations via Crowdin #830

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feat/email-verification

oidc-scopes

default-env-db-keys

slog-gorm

v2.2.0

v2.1.0

v2.0.2

v2.0.1

v2.0.0

v1.16.0

v1.15.0

v1.14.2

v1.14.1

v1.14.0

v1.13.1

v1.13.0

v1.12.0

v1.11.2

v1.11.1

v1.11.0

v1.10.0

v1.9.1

v1.9.0

v1.8.1

v1.8.0

v1.7.0

v1.6.4

v1.6.3

v1.6.2

v1.6.1

v1.6.0

v1.5.0

v1.4.1

v1.4.0

v1.3.1

v1.3.0

v1.2.0

v1.1.0

v1.0.0

v0.53.0

v0.52.0

v0.51.1

v0.51.0

v0.50.0

v0.49.0

v0.48.0

v0.47.0

v0.46.0

v0.45.0

v0.44.0

v0.43.1

v0.43.0

v0.42.1

v0.42.0

v0.41.0

v0.40.1

v0.40.0

v0.39.0

v0.38.0

v0.37.0

v0.36.0

v0.35.6

v0.35.5

v0.35.4

v0.35.3

v0.35.2

v0.35.1

v0.35.0

v0.34.0

v0.33.0

v0.32.0

v0.31.0

v0.30.0

v0.29.0

v0.28.1

v0.28.0

v0.27.2

v0.27.1

v0.27.0

v0.26.0

v0.25.1

v0.25.0

v0.24.1

v0.24.0

v0.23.0

v0.22.0

v0.21.0

v0.20.1

v0.20.0

v0.19.0

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.0

v0.13.1

v0.13.0

v0.12.0

v0.11.0

v0.10.0

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.0

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.1

v0.4.0

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.3

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

breaking

bug

bug

bug

documentation

feature

needs more upvotes

open to pull requests

pull-request

Mirrored from GitHub Pull Request

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/pocket-id#561