AWS S3 SDK breaks its compatible services

190 点作者 ulrischa3 个月前

29 条评论

js23 个月前

Okay, but I'd never expect an AWS SDK to remain backwards compatible with third-party services and would be leery about using an AWS SDK with anything but AWS. It's on the third parties to keep their S3-compatible API, well, compatible.On the client side, you just have to pin to an older version of the AWS SDK till whatever compatible service you're using updates, right?Also, this is the first I've heard of OpenDAL. Looks interesting:<a href="https://opendal.apache.org/" rel="nofollow">https://opendal.apache.org/</a>It's had barely any discussion on HN:<a href="https://hn.algolia.com/?q=opendal" rel="nofollow">https://hn.algolia.com/?q=opendal</a>

评论 #43120746 未加载

评论 #43119260 未加载

评论 #43120425 未加载

评论 #43119311 未加载

评论 #43123190 未加载

评论 #43119728 未加载

profmonocle3 个月前

Treating a proprietary API as a standard is risky - this is a good example of why. From Amazon's point of view there's no reason to keep the S3 SDK backwards compatible with old versions of the S3 service, because they control the S3 service. Once this feature was rolled out in all regions, it was safe to update the SDK to expect it.Amazon may not be actively hostile to using their SDK with third party services, but they never promised to support that use case.(disclaimer: I work for AWS but not on the S3 team, I have no non-public knowledge of this and am speaking personally)

评论 #43119871 未加载

评论 #43119654 未加载

评论 #43122244 未加载

dougb3 个月前

I got bit by this a month ago. You can disable the new behavior by setting 2 environment variables<pre><code> export AWS_REQUEST_CHECKSUM_CALCULATION=when_required export AWS_RESPONSE_CHECKSUM_CALCULATION=when_required </code></pre> or adding the following 2 lines to a profile in ~/.aws/config<pre><code> request_checksum_calculation=when_required response_checksum_validation=when_required </code></pre> Or just pin your AWS SDK to version before the following.<<a href="https://github.com/aws/aws-sdk-go-v2/blob/release-2025-01-15/service/s3/CHANGELOG.md#v1730-2025-01-15">https://github.com/aws/aws-sdk-go-v2/blob/release-2025-01-15...</a>><<a href="https://github.com/boto/boto3/issues/4392">https://github.com/boto/boto3/issues/4392</a>><<a href="https://github.com/aws/aws-cli/blob/1.37.0/CHANGELOG.rst#L19">https://github.com/aws/aws-cli/blob/1.37.0/CHANGELOG.rst#L19</a>><<a href="https://github.com/aws/aws-cli/blob/2.23.0/CHANGELOG.rst#2230">https://github.com/aws/aws-cli/blob/2.23.0/CHANGELOG.rst#223...</a>><<a href="https://github.com/aws/aws-sdk-java-v2/releases/tag/2.30.0">https://github.com/aws/aws-sdk-java-v2/releases/tag/2.30.0</a>><<a href="https://github.com/aws/aws-sdk-net/releases/tag/3.7.963.0">https://github.com/aws/aws-sdk-net/releases/tag/3.7.963.0</a>><<a href="https://github.com/aws/aws-sdk-php/releases/tag/3.337.0">https://github.com/aws/aws-sdk-php/releases/tag/3.337.0</a>>and wait for your S3 Compatible Object store to add a fix to support this.

评论 #43121841 未加载

aaronbrethorst3 个月前

Many S3-compatible services are recommending that their users use the S3 SDK directly, and changing the default settings in this way can have a direct impact on their users.This is wholly predictable; AWS isn't in the business of letting other companies OpenSearch them.

评论 #43119668 未加载

评论 #43119165 未加载

riknos3143 个月前

As a user of S3, but not any service with an S3 compatible API, this execution of the change is perfect for me as I get the benefits with 0 effort - including needing to learn about the availability of the feature.AWS is beholden first and foremost to their paying customers, and this is the best option for most S3 customers.

评论 #43119204 未加载

评论 #43121016 未加载

joshstrange3 个月前

I'm not sure what the other option is here? Keep old defaults and hope users update?I wouldn't be happy to find out they did it /just/ to break third-party S3 providers but it seems like it's an easy enough thing to turn it off right?I'm just not sure how comfortable I am with the phrasing here (or maybe I'm reading too much into it).

评论 #43122261 未加载

benmanns3 个月前

Another case of Hyrum's Law, where the entire functionality of the S3 SDK and any competing service provider borrowing from it becomes Amazon's problem to fix at their own cost. Maybe it's time for a non-Amazon but S3 API compatible library to emerge among the other cloud storage providers offering S3 compatible APIs. OpenDAL looks interesting. Also another reminder to run thorough integration tests before updating your dependencies.

评论 #43119127 未加载

xena3 个月前

This bit us pretty hard at Tigris, but we had a fix out pretty quickly. I set up some automation with some popular programming languages so that we can be aware of the next time something like this happens. It also bit me in my homelab until I patched Minio: <a href="https://xeiaso.net/notes/2025/update-minio/" rel="nofollow">https://xeiaso.net/notes/2025/update-minio/</a>

femto1133 个月前

> the AWS team has implemented it poorly by enforcing itThis is whiny and just wrong. Best behavior by default is always the right choice for an SDK. Libraries/tools/clients/SDKs break backwards compatibility all the time. That's exactly what semver version pinning is for, and that's a fundamental feature of every dependency management system.AWS handled this exactly right IMO. Change was introduced in Python SDK version 1.36.0 which clearly indicatesbreaking API changes, and their changelog also explicitly mentions this new default<pre><code> api-change:``s3``: [``botocore``] This change enhances integrity protections for new SDK requests to S3. S3 SDKs now support the CRC64NVME checksum algorithm, full object checksums for multipart S3 objects, and new default integrity protections for S3 requests. </code></pre> <a href="https://github.com/boto/boto3/blob/2e2eac05ba9c67f0ab285efe5050fe0d3eb03bd2/CHANGELOG.rst#L252">https://github.com/boto/boto3/blob/2e2eac05ba9c67f0ab285efe5...</a>

评论 #43120399 未加载

评论 #43120265 未加载

julik3 个月前

Sometimes people forget that the S3 API is not an industry standard, but a proprietary inspectable interface the original author is at liberty to modify to their liking. And it does, indeed, have thorny edges like "which headers are expected", "which headers do you sign", what the semantics of the headers are and so forth.It is also on the implementors of the "compatible" services to, for example, not require a header that can be assumed optional. If it is not "basic HTTP" (things like those checksums) - don't crash the PUT if you don't get the header unless you absolutely require that header. Postel's law and all.The mention in the Tigris article is strange: is boto now doing a PUT without request content-length? That's not even valid HTTP 1.1

robocat3 个月前

Any third party is one update away from an external business shock should Amazon change their API.Setting up a business so that all your customers fail at the same moment is a poor business practice: nobody can support all their customers breaking at once. I'm guessing competitors compete on price, not reliability.Amazon has the incentive to break third parties, since their customers are likely to switch to Amazon. Why else use the Amazon code unless you're ready to migrate or the service is low importance?

评论 #43120537 未加载

merb3 个月前

actually the new default is sane. its WAY WAY WAY WAY better than before. especially for multi uploads. it's basically one of the features where gcloud had a insane edge. another thing was If-Match in cloud storage.

评论 #43120685 未加载

everfrustrated3 个月前

Time for the community to support a standards body effort to define S3 compatibility under its own brand and standard.Having a way for vendors to publish some Level of compatibility would be a great help. Eg Tier 1 might mean basic upload/download, Tier 2 might support storage classes and lifecycle policies etc. Right now is just a confusing mess of self-attestation.

评论 #43120424 未加载

jonasdoesthings3 个月前

There are great alternative libraries for AWS & AWS-compatible services like S3Been really happy with aws4fetch in TypeScript (for Cloudflare R2, generating presigned URLs & sending mails via SES) after getting much frustration out of the official JS SDK.<a href="https://github.com/mhart/aws4fetch">https://github.com/mhart/aws4fetch</a>

kagitac3 个月前

>OpenDAL integrates all services by directly communicating with APIs instead of relying on SDKs, protecting users from potential disruptions like this one.Implying that the SDKs don't communicate directly with the APIs? This "problem" could have happened in OpenDAL just as it did in AWS SDKs.

donatj3 个月前

I've always been very uncomfortable with the S3 API becoming a defacto protocol, and this shows why.

earth2mars3 个月前

I see the same thing could happen with all the LLM providers depending on the OpenAI API .

dastbe3 个月前

with the open sourcing of smithy and the raw s3 specs, open source should be able to build clients in just about any language they care about while keeping relatively high fidelity with implementations s3 releases.

amazingamazing3 个月前

I wish more services would become de-facto standards and there were many implementations of the same API. I'd love more (cheaper) DynamoDB compatible APIs.

评论 #43120807 未加载

评论 #43120076 未加载

fulmicoton3 个月前

This bug hit us, and yes, I hadn't thought of just switching to opendal. That's indeed a great reminder.

imclaren3 个月前

I was bitten by this using aws’s golang sdk.The nuance is that Amazon updated their sdk so that the default is that the sdk no longer works for third party services that do not use the new checksum. There is a new configuration option in the sdk that either: (1) requires the checksum (and breaks s3 usage for unsupported services); or (2) only uses the checksum if the s3 service supports it.The sdk default is (1) when this issue could have been avoided if the sdk default was (2).Agree with all the comments that Amazon has never said or even implied that updates to their sdk would work on other s3 compatible services. However, the reality is that s3 has become a defacto standard and (unless this is a deliberate Amazon strategy) it would be relatively easy for Amazon to set this default that allows for but does not require changes to s3 compatible services or, if possible, to loudly flag these types of changes well in advance so that they don’t surprise users.

_def3 个月前

I always thought the property "S3 compatible" was fishy - here we see why.

cyberax3 个月前

Stupid. A lot of people using the actual Amazon S3 for production, are also using S3 API with minio for local testing.minio at least was updated to always emit the header, so it's simply an upgrade away.

评论 #43119489 未加载

richwater3 个月前

The expectation that S3 should not improve functionality for paying customers because other people use the SDK for something completely unrelated is asinine.

deskr3 个月前

Does AWS S3 SDK have a list of "compatible services" ?

评论 #43119655 未加载

ydnaclementine3 个月前

I guess you could say the s3 compatible services are no longer s3 compatible. But don't update your client and give them a sec to update

Vosporos3 个月前

Y'all put blind trust in a proprietary API SDK and all the eggs in the same basket? Just like that??

评论 #43119799 未加载

nisten3 个月前

just use bun s3client, it has native support now

przemub3 个月前

I'm confused. Why Cloudflare et al. won't release a package in pypi named boto-r2 or something, pinned to the last compatible version with the added benefit of setting the endpoint by default? It seems asinine to rely on Amazon as not to break things from time to time.

评论 #43123050 未加载