Supporting the AWS S3 REST API (or, add restore_object to the S3 Integration?)

Hi, I'm trying to build a tool similar to the S3 explorer, but with the capability of restoring objects from Glacier/Deep Glacier via the POST /ObjectName?restore AWS API command. I set up an API resource with AWS V4 auth, but I think because that auth option enforces a URL scheme of, and the S3 REST endpoints are, I am running into an error on query execution: "Error: Hostname/IP doesn't match certificate's altnames". One solution might be to just add "s3" to the list of regions in the AWS v4 auth options? From the AWS docs (RestoreObject - Amazon Simple Storage Service) I need to send something like this:
POST /ObjectName?restore HTTP/1.1 Host: Date: date Authorization: authorization string (see Authenticating Requests (AWS Signature Version 4)) Content-MD5: MD5

I think because that auth option enforces a URL scheme of
ahh yeah i think you’re right, for aws4 we do expect the hostname to look like either or ooc, what made you think that we enforce this url scheme? was there an error message you saw that said something like that?

i can prolly get you a fix for this either today or tomorrow, i’ll keep you updated!

Wow, thank you for your fast response (even on a weekend-- almost too much to ask). In response to your question-- yes there was on error message in the bottom pane of the app builder that clued me in.

haha no worries! always happy to help :slight_smile:
ahhh got it, yeah i know what error you’re talking about

alright, the fix is going out on our next deploy (in about ~9 hours or so)

Hi @nik-krumm! the fix is live now. can you try again and lmk if it works for you?

Great. I can send GET queries to the s3 endpoints now, but am having trouble with POST requests (e.g., POST object-restore). With POST requests, I get a 403/forbidden error with “The request signature we calculated does not match the signature you provided. Check your key and signing method.”
I am not sure exactly what is going on, as I don’t know exactly what Retool is doing to manage the AWS authorization. One hypothesis is that the Content-MD5 header is not being calculated (required for POST requests, see and/or is not being included in the authorization.
I really appreciate your help! Let me know if I can grant you access to my test app or help in any way.

ah oops! my bad i didn’t test out a POST

will take a look at this today

hmm so i spent some time on this today, but unfortunately didn’t get anywhere yet :frowning:

still haven’t finished debugging it. these signature errors are hard haha

Just posted a comment on the gist-- i think you need signQuery=true

omg you’re a genius!!

thanks for helping me debug it! i’ll put up a fix tonight, and it’ll go out in our next deploy

hi @nik-krumm, the fix is deployed now! can you give it a try?