From 489de2532d158b5c68feaeb8acde7ebed9583e5a Mon Sep 17 00:00:00 2001 From: Anthony Lukach Date: Thu, 4 Jun 2026 13:43:02 -0700 Subject: [PATCH] =?UTF-8?q?docs(backend-auth):=20correct=20the=20skip=5Fsi?= =?UTF-8?q?gnature=20callout=20=E2=80=94=20it=20IS=20honored?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The "Static Backend Credentials" section had the credential/signing relationship backwards: - It claimed omitting access_key_id/secret_access_key yields unsigned requests "automatically." It doesn't: object_store's S3 builder falls back to its default credential chain (InstanceCredentialProvider, env, ...) and still signs (object_store 0.13.1 builder.rs build()). - A NOTE claimed skip_signature "is not honored and has no effect." It is: create_builder (crates/core/src/backend/mod.rs) passes every backend_options entry to object_store via with_config, which parses "skip_signature" -> AmazonS3ConfigKey::SkipSignature and skips SigV4. skip_signature is in fact the control for unsigned/public-bucket access (used by examples/server/config.toml and the cf-workers wrangler configs). docs/configuration/buckets.md already documented it correctly, so this also resolves an internal contradiction. The federation path's apply_to clears skip_signature precisely to turn signing back on. Co-Authored-By: Claude Opus 4.8 (1M context) --- docs/auth/backend-auth.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/docs/auth/backend-auth.md b/docs/auth/backend-auth.md index 6062e91..59df70e 100644 --- a/docs/auth/backend-auth.md +++ b/docs/auth/backend-auth.md @@ -19,10 +19,18 @@ access_key_id = "AKIAIOSFODNN7EXAMPLE" secret_access_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" ``` -This works for any backend type. For anonymous backend access (e.g., public buckets), simply omit the `access_key_id` and `secret_access_key` fields — when both are absent, the proxy issues unsigned requests automatically. +This works for any backend type. For **anonymous** backend access (e.g., public buckets), omit `access_key_id`/`secret_access_key` and set `skip_signature = "true"`: + +```toml +[buckets.backend_options] +endpoint = "https://s3.us-east-1.amazonaws.com" +bucket_name = "my-public-bucket" +region = "us-east-1" +skip_signature = "true" +``` > [!NOTE] -> A `skip_signature` option appears in some examples, but it is currently not honored by the proxy and has no effect. Anonymous access is determined solely by the absence of credentials. +> `skip_signature` **is** honored: the proxy passes every `backend_options` entry through to `object_store` (`create_builder` in `multistore`'s `backend` module), and `object_store` then skips SigV4 and issues unsigned requests. It is **required** for public-bucket access — omitting credentials *without* it does not yield anonymous access: `object_store` falls back to its default credential chain (instance metadata, environment, etc.) and still attempts to sign. For `auth_type = oidc` backends, the federated-credential injection clears `skip_signature` so the proxy signs with the temporary credentials it obtains. ## OIDC Backend Auth