What happened?
AuthTransport.RoundTrip (internal/http/refresh_transport.go:54) unconditionally sets Authorization: Bearer . When the API 302-redirects an artifact download to a presigned buildkiteartifacts.com URL, Go's stdlib correctly strips the inherited bearer — but AuthTransport runs again on the redirected hop and re-injects it. S3 sees both X-Amz-Signature=… and Authorization and returns:
400 InvalidArgument: Only one auth mechanism allowed
Also it leaks your BK token.
Version
bk version 3.42.0
What environment are you seeing the problem on?
macOS
What happened?
AuthTransport.RoundTrip (internal/http/refresh_transport.go:54) unconditionally sets Authorization: Bearer . When the API 302-redirects an artifact download to a presigned buildkiteartifacts.com URL, Go's stdlib correctly strips the inherited bearer — but AuthTransport runs again on the redirected hop and re-injects it. S3 sees both X-Amz-Signature=… and Authorization and returns:
Also it leaks your BK token.
Version
bk version 3.42.0What environment are you seeing the problem on?
macOS