Jeff
Jeff Cloud Systems Architect
1 min read / TL;DR

MinIO Kubernetes Signature Error

MinIO Kubernetes Signature Error

MinIO Kubernetes SignatureDoesNotMatch

I was recently playing around with MinIO running in Kubernetes behind nginx-ingress. Everything was working wonderfully, until I tried generating a URL from another service running in the same k8s cluster. The service talks to minio on http://minio:9000 and asks for a download URL to pics/IvanDoggo.jpg. The code then rewrites the URL to match my ingress of https://minio.tothecloud.dev/pics/IvanDoggo.jpg with the proper S3 signatures appended. When I attempt to access that link, I get the following error:

Get Secrets

<Error>
  <Code>SignatureDoesNotMatch</Code>
  <Message>
    The request signature we calculated does not match the signature you provided.  Check your key and signing method
  </Message>
  <Resource>/pics/IvanDoggo.jpg</Resource>
  <RequestId>xxxxxxxxxx</RequestId>
  <HostId>xxxxx-xxxxxx-xxxxxx-xxxxx-xxxx</HostId>
</Error>

The issue comes from the S3 signing method. MinIO creates a signature based on the hostname and port. I'm creating a signature with http://minio:9000 and trying to use it with https://minio.tothecloud.dev.

The easiest solution is to add this annotation to your MinIO ingress document (only works with nginx-ingress)

annotations:
  nginx.ingress.kubernetes.io/upstream-vhost: minio:9000