Skip to content

fix(s3): include Region in isSameAuth to prevent cross-region CopyObject failures#337

Merged
funkyshu merged 2 commits into
mainfrom
fix/s3-cross-region-copy-isSameAuth
Jul 1, 2026
Merged

fix(s3): include Region in isSameAuth to prevent cross-region CopyObject failures#337
funkyshu merged 2 commits into
mainfrom
fix/s3-cross-region-copy-isSameAuth

Conversation

@dmcilvain44

Copy link
Copy Markdown
Contributor

Summary

  • isSameAuth in backend/s3/file.go only compared AccessKeyID, RoleARN, and SessionToken, so same-credential copies between buckets in different AWS regions were treated as same-auth and routed through the server-side CopyObject API.
  • AWS rejects that call with PermanentRedirect (HTTP 301) when source and target regions differ, since CopyObject is invoked via the source region's endpoint.
  • Region is now part of the isSameAuth comparison, so same-credential, different-region copies correctly fall back to the client-side TouchCopyBuffered path, which uses each filesystem's own regional client.

Test plan

  • Added unit tests covering same-credentials/different-region (expect false) and same-credentials/same-region (expect true) cases in TestIsSameAuth
  • go test ./backend/s3/... passes
  • golangci-lint run ./backend/s3/... passes clean
  • Updated CHANGELOG.md under [Unreleased] per repo conventions

…ect failures

isSameAuth only compared AccessKeyID, RoleARN, and SessionToken, so
same-credential copies between buckets in different AWS regions were
treated as same-auth and routed through the server-side CopyObject
API. AWS rejects that call with PermanentRedirect when source and
target regions differ. Region is now part of the comparison so these
copies correctly fall back to the client-side TouchCopyBuffered path.
@c2fo-cibot c2fo-cibot Bot added the size/S Denotes a PR that changes 10-29 lines label Jul 1, 2026
@dmcilvain44 dmcilvain44 requested a review from Copilot July 1, 2026 14:53

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request fixes cross-region S3 copy behavior by ensuring server-side CopyObject is only attempted when the source and target S3 filesystems are configured for the same AWS region, avoiding PermanentRedirect failures and falling back to client-side buffered copying when regions differ.

Changes:

  • Updated isSameAuth to include Region in the auth-equivalence check.
  • Added unit tests validating same-credentials cross-region copies return false, while same-region returns true.
  • Documented the fix in CHANGELOG.md under [Unreleased].

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
CHANGELOG.md Adds an Unreleased “Fixed” entry describing the S3 cross-region copy behavior change.
backend/s3/file.go Includes Region in isSameAuth to prevent cross-region server-side CopyObject usage.
backend/s3/file_test.go Extends TestIsSameAuth with region-based cases.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread backend/s3/file.go Outdated
The prior comment described AccessKeyID/SessionToken as "mutually
exclusive" and implied nil values, which doesn't match the string
Options fields. Reworded to describe the actual comparison and why
Region must match.
@dmcilvain44 dmcilvain44 marked this pull request as ready for review July 1, 2026 15:33
@funkyshu funkyshu merged commit 87b3a45 into main Jul 1, 2026
34 checks passed
@funkyshu funkyshu deleted the fix/s3-cross-region-copy-isSameAuth branch July 1, 2026 16:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size/S Denotes a PR that changes 10-29 lines

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants