How do I log the signature process ?

[riftsin]

Hello,

In the aws CLI, we can use the --debug parameter that allows us to log what is happening from start to finish.
What's especially useful is logging the request being sent as well as the signature process to create the authorization header.
The steps I'm refering to are the Canonical request, the string to sign.

Is there a way to do that with the powershell SDK ?

If not, is there a way to do that with the .NET SDK ? (Which I'm assuming is what's being used under the hood)

I know that in golang, you can enable logging the signature process doing the following:

cfg, _ := config.LoadDefaultConfig(
context.TODO(),
config.WithClientLogMode(aws.LogSigning),
)

client := s3.NewFromConfig(cfg)

Any request made by this client will log the signature process.

Is there a way to do that ? It's very useful for people trying to debug issues with third parties S3 compatible solutions.

Thanks in advance !

[dscpinheiro]

It's more verbose, but you can enable debug logging by using this:

Add-AWSLoggingListener -Name debuglogs -LogFilePath "C:\temp\pwsh-logs.txt"
Set-AWSResponseLogging Always
Enable-AWSMetricsLogging

Get-S3Bucket

One limitation is that the .NET SDK (which as you noted PowerShell uses behind the scenes) doesn't support logging the request body, but you should be able to see the canonical request we're sending and the response received.

What exactly are you looking for when you say "signature process"?

[riftsin]

Thanks for your answer @dscpinheiro.

Basically what I'm looking for is the Canonical Request and the String to sign that was made on the client side to sign the request.

This helps when solving Signature mismatch between the client and the server.

[riftsin]

Does the solution you describe enables to see the Canonical request and the string to sign ?

[dscpinheiro]

Yes, this is what the logs would look like (I added the line breaks for readability):

CanonicalRequest = 
    PUT
    /sample.txt

    content-length:187
    content-type:text/plain
    host:test.s3.us-west-2.amazonaws.com
    user-agent:AWSPowerShell/4.1.695.0 ua/2.0 os/windows lang/.NET_Runtime#8.-1 md/.NET_Framework#4.8.09032 md/aws-sdk-dotnet-core#3.7.400.48 api/S3#3.7.405.12 md/WindowsPowerShell/7.-1 cfg/retry-mode#legacy md/ClientSync cfg/init-coll#1 ft/S3Key#unmodified
    x-amz-content-sha256:STREAMING-AWS4-HMAC-SHA256-PAYLOAD
    x-amz-date:20250205T195024Z
    x-amz-decoded-content-length:15

    content-length;content-type;host;user-agent;x-amz-content-sha256;x-amz-date;x-amz-decoded-content-length
    STREAMING-AWS4-HMAC-SHA256-PAYLOAD; 

StringToSign = 
    AWS4-HMAC-SHA256
    20250205T195024Z
    20250205/us-west-2/s3/aws4_request
    cddae98547b7e0af237dc4c987f3409ca1d13d1f6e8d0fd9e07798e690076d70

ServiceName = AmazonS3
ServiceEndpoint = https://test.s3.us-west-2.amazonaws.com/
MethodName = PutObjectRequest; 
AmzId2 = ---
StatusCode = OK
BytesProcessed = 0
AWSRequestID = ---
CredentialsRequestTime = 00:00:00.0011003
RequestSigningTime = 00:00:00.0316225
HttpRequestTime = 00:00:00.3930561
ResponseUnmarshallTime = 00:00:00.0022394
ResponseProcessingTime = 00:00:00.0061016
ClientExecuteTime = 00:00:00.5190606

[riftsin]

Thank you, I actually didn't see the canonical request at first (I actually had tried this method before posting this), thanks for pointing out that it was there, just in a very condensed form !

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.