nix 2.33.x regression: 403 when connecting to private binary cache (GCS via s3 compatibility) #15019
Description
Describe the bug
Before 2.33 I was able to use private GCS (google cloud storage) bucket as binary cache, via s3 compatibility endpoint.
Now I get the following error when trying to fetch nix-cache-info:
> nix store info --store s3://MY_BUCKET_NAME?endpoint=https://storage.googleapis.com&profile=MY_BUCKET_NAME
error:
… during download of 'https://storage.googleapis.com/MY_BUCKET_NAME/nix-cache-info'
error: unable to download 'https://storage.googleapis.com/MY_BUCKET_NAME/nix-cache-info': HTTP error 403
response body:
<?xml version='1.0' encoding='UTF-8'?><Error><Code>SignatureDoesNotMatch</Code><Message>Access denied.</Message><Details>The request signature we calculated does not match the signature you provided. Check your Google secret key and signing method.</Details><StringToSign>AWS4-HMAC-SHA256
20260119T164122Z
20260119/us-east-1/s3/aws4_request
e292857e6b5ae2b7fa289fdf23ce4afa0be6e105ff8d9f96d9f541a8f807fa60</StringToSign><CanonicalRequest>GET
/MY_BUCKET_NAME/nix-cache-info
accept-encoding:zstd, br, gzip, deflate, bzip2, xz,gzip(gfe)
host:storage.googleapis.com
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date:20260119T164122Z
accept-encoding;host;x-amz-content-sha256;x-amz-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855</CanonicalRequest></Error>
Steps To Reproduce
- setup a private GCS bucket
- obtain aws_access_key_id and aws_secret_access_key (as described here) and store them in .aws/credentials (or env vars)
- run
nix store info ...as shown above
Expected behavior
nix store info should succeed
Metadata
nix --version
nix (Nix) 2.33.1
Additional context
Below are requests capture with using mitmproxy and the only difference seems to be headers
successful (nix 2.32.4)
GET https://storage.googleapis.com/MY_BUCKET_NAME/nix-cache-info HTTP/2.0
accept: */*
amz-sdk-invocation-id: 12BC57CC-0B54-48E4-816E-9EE1F60C6B1B
amz-sdk-request: attempt=1
authorization: AWS4-HMAC-SHA256 Credential=MY_CREDENTIALS/20260119/us-east-1/s3/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-type;host;x-amz-api-version;x-amz-checksum-mode;x-amz-content-sha256;x-amz-date, Signature=e63d4a5773ff37fde373f85aadc718b6d8a8abbc4168602b8c20250f85089d07
content-type: application/xml
user-agent: aws-sdk-cpp/1.11.647 ua/2.1 api/S3 os/Linux#6.12.63 lang/c++#C++11 md/aws-crt#0.34.3 md/arch#x86_64 md/GCC#14.3.0 m/D,Z,b,P,n
x-amz-api-version: 2006-03-01
x-amz-checksum-mode: enabled
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date: 20260119T164104Z
failed (nix 2.33.1)
GET https://storage.googleapis.com/MY_BUCKET_NAME/nix-cache-info HTTP/2.0
authorization: AWS4-HMAC-SHA256 Credential=MY_CREDENTIALS/20260119/us-east-1/s3/aws4_request, SignedHeaders=accept-encoding;host;x-amz-content-sha256;x-amz-date, Signature=44208d2cd048cb5fcd1b1dbea094cda6aa3a1992a12fd32566e98312d36330e0
x-amz-date: 20260119T164122Z
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
user-agent: curl/8.17.0 Nix/2.33.1
accept: */*
accept-encoding: zstd, br, gzip, deflate, bzip2, xz
Checklist
- checked latest Nix manual (source)
- checked open bug issues and pull requests for possible duplicates
Add 👍 to issues you find important.