[I] JWT session tokens cause SignatureDoesNotMatch with Supabase S3 [arrow-rs-object-store]

Sat, 16 Aug 2025 07:03:08 -0700 


Nordalf opened a new issue, #466:
URL: https://github.com/apache/arrow-rs-object-store/issues/466

   ## Problem
   Hey good folks,
   
   When using Supabase's S3-compatible storage with session token 
authentication (JWT), the `AmazonS3Builder` fails with "SignatureDoesNotMatch" 
error: "The request signature we calculated does not match the signature you 
provided. Check your credentials. The session token should be a valid JWT 
token."
   
   The same credentials work successfully with Supabase's generated 
access_key/secret_key pairs. This is only an issue when you're adding the JWT 
Session / user token into the mix.
   
   Looking forward to the conversation on this topic!
   
   ## Reproduce
   
   ```rust
   use object_store::aws::AmazonS3Builder;
   
   let s3 = AmazonS3Builder::new()
       .with_endpoint("https://project-ref.supabase.co/storage/v1/s3";)
       .with_access_key_id("project_ref")              // Supabase project 
reference
       .with_secret_access_key("supabase_anon_key")    // Supabase anon/public 
key  
       .with_token("eyJhbGciOiJIUzI1NiIsInR5cCI...")  // Supabase JWT session 
token
       .build()?;
   
   let result = s3.list(None).await; // Returns SignatureDoesNotMatch error
   ```
   
   **Expected:** Operations should succeed as they do with AWS SDK for 
JavaScript using identical credentials.
   
   **Actual:** All operations fail with the error response indicating JWT 
signature validation failure.
   
   ## Version Information
   
   - **object_store version:** 0.12.2
   - **Rust version:** rustc 1.88.0 (6b00bc388 2025-06-23)
   - **Platform:** macOS 15.5
   - **Supabase S3 endpoint:** S3-compatible storage (Public Alpha)
   
   **Note:** The same JWT works successfully when used with 
`@aws-sdk/client-s3` in JavaScript, suggesting the issue may be specific to 
object_store's JWT handling in signature calculations. But I may be **very** 
wrong here.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscr...@arrow.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to