Request signing drops `range` header, causing `SignatureDoesNotMatch` error.

[DrewMcArthur]

Describe the bug

I'm attempting to get a range of bytes from a specific file in S3, but it's returning a SignatureDoesNotMatch error. The canonical request included in the error shows an empty byte range. Removing the byte range from the request works fine.

Regression Issue

• Select this option if this issue appears to be a regression. Works in 1.42.19, botocore 1.40.19

Expected Behavior

I'd expect these requests to work, but the signatures don't match, which returns a 403 instead of a 200.

Current Behavior

aws s3api get-object --bucket my-bucket --key 'path/to/my.parquet' out.parquet --range bytes=-8 --debug

returns (truncated for brevity and security)

b'<?xml version="1.0" encoding="UTF-8"?>\n<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message>
<AWSAccessKeyId>MYACCESSKEYID</AWSAccessKeyId>
<StringToSign>AWS4-HMAC-SHA256\n20250827T223046Z\n20250827/us-east-1/s3/aws4_request\n075ccc80f98639364d215440cc4dda8d67cb9f82f12fb09fc36fff50196f8018</StringToSign><SignatureProvided>736c1cbf683e496dc7c099e5e9d95894bab216a6437e418ac812ac10441b8d46</SignatureProvided>
<CanonicalRequest>
GET
/path/to/my.parquet

host:my-bucket.s3.us-east-1.amazonaws.com
range:
x-amz-checksum-mode:ENABLED
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date:20250827T223046Z

host;range;x-amz-checksum-mode;x-amz-content-sha256;x-amz-date;x-amz-security-token
<hash>
</CanonicalRequest>

whereas the same command, less the --range param, works fine.

aws s3api get-object --bucket my-bucket --key 'path/to/my.parquet' out.parquet --debug

I can't imagine why this would be, other than the piece where range is included in the canonical request, but the header value is missing.

I am able to generate a presigned URL, then curl that with the range header, and that works:

aws s3 presign s3://my-bucket/my-key --expires-in 60 > url.txt
curl -v -H "Range: bytes=-8" "$(cat url.txt)"

Reproduction Steps

Included above

Possible Solution

either removing range from the canonical request that the signature is created from (i assume that's how the presigned url generation works) or including the range value in the request being signed.

Additional Information/Context

No response

CLI version used

aws-cli/2.28.16 Python/3.13.7 Windows/11 exe/AMD64

Environment details (OS name and version, etc.)

Windows 11

[DrewMcArthur]

welp, trying that command again today worked. maybe after updating various dependencies, resetting my path did it.

yup: aws --version now returns:

aws-cli/1.42.19 Python/3.13.2 Windows/11 botocore/1.40.19

although, that's aws-cli v1. so is this a regression?

[adev-code]

Hi @DrewMcArthur, thanks for reaching out. I have tested this command: aws s3api get-object --bucket <bucket> --key path/to/my.parquet out.parquet --range bytes=-8 --debug on versions: aws-cli/2.28.16, aws-cli/2.28.21, aws-cli/2.28.15 and aws-cli/1.42.19 and all seemed to work. Can you provide the full debug logs and redact all sensitive and security information? Also, please ensure that the path you expect is correctly configured.

[DrewMcArthur]

thanks @adev-code . I updated to version aws-cli/2.28.21. here's the DEBUG logs

$ AWS_PROFILE=profile aws s3api get-object --bucket bucket --key 'path/to/key.parquet' out.parquet --range bytes=-8 --debug
2025-09-03 14:35:46,918 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.28.21 Python/3.13.7 Windows/11 exe/AMD64
2025-09-03 14:35:46,919 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['s3api', 'get-object', '--bucket', 'bucket', '--key', 'path/to/key.parquet', 'out.parquet', '--range', 'bytes=-8', '--debug']
2025-09-03 14:35:46,957 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_s3 at 0x000001BBAA97EAC0>
2025-09-03 14:35:46,957 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_ddb at 0x000001BBAA75D6C0>
2025-09-03 14:35:46,957 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method BasicCommand.add_command of <class 'awscli.customizations.configure.configure.ConfigureCommand'>>
2025-09-03 14:35:46,957 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function change_name at 0x000001BBAA6C4720>
2025-09-03 14:35:46,957 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function change_name at 0x000001BBAA6C56C0>
2025-09-03 14:35:46,957 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_history_commands at 0x000001BBAA8A8540>
2025-09-03 14:35:46,958 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method BasicCommand.add_command of <class 'awscli.customizations.devcommands.CLIDevCommand'>>
2025-09-03 14:35:46,958 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <function add_waiters at 0x000001BBAA98F240>
2025-09-03 14:35:46,958 - MainThread - botocore.hooks - DEBUG - Event building-command-table.main: calling handler <bound method AliasSubCommandInjector.on_building_command_table of <awscli.alias.AliasSubCommandInjector object at 0x000001BBAA99EF90>>
2025-09-03 14:35:46,959 - MainThread - botocore.loaders - DEBUG - Loading JSON file: C:\Program Files\Amazon\AWSCLIV2\awscli\data\cli.json
2025-09-03 14:35:46,962 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_types at 0x000001BBAA86BC40>
2025-09-03 14:35:46,962 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function no_sign_request at 0x000001BBAA86BF60>
2025-09-03 14:35:46,962 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_verify_ssl at 0x000001BBAA86BEC0>
2025-09-03 14:35:46,962 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_cli_read_timeout at 0x000001BBAA88C0E0>
2025-09-03 14:35:46,963 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <function resolve_cli_connect_timeout at 0x000001BBAA88C040>
2025-09-03 14:35:46,963 - MainThread - botocore.hooks - DEBUG - Event top-level-args-parsed: calling handler <built-in method update of dict object at 0x000001BBAAA2DA40>
2025-09-03 14:35:46,965 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/2.28.21 Python/3.13.7 Windows/11 exe/AMD64
2025-09-03 14:35:46,965 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['s3api', 'get-object', '--bucket', 'bucket', '--key', 'path/to/key.parquet', 'out.parquet', '--range', 'bytes=-8', '--debug']
2025-09-03 14:35:46,966 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_timestamp_parser at 0x000001BBAA98DE40>
2025-09-03 14:35:46,966 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function register_uri_param_handler at 0x000001BBA9A00220>
2025-09-03 14:35:46,966 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_binary_formatter at 0x000001BBAA29D580>
2025-09-03 14:35:46,966 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function no_pager_handler at 0x000001BBAA20F880>
2025-09-03 14:35:46,966 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_assume_role_provider_cache at 0x000001BBAA29CAE0>
2025-09-03 14:35:46,968 - MainThread - botocore.utils - DEBUG - IMDS ENDPOINT: http://169.254.169.254/
2025-09-03 14:35:46,969 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function attach_history_handler at 0x000001BBAA88EDE0>
2025-09-03 14:35:46,970 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_json_file_cache at 0x000001BBAA747E20>
2025-09-03 14:35:47,010 - MainThread - botocore.loaders - DEBUG - Loading JSON file: C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\data\s3\2006-03-01\service-2.json
2025-09-03 14:35:47,017 - MainThread - botocore.loaders - DEBUG - Loading JSON file: C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\data\s3\2006-03-01\service-2.sdk-extras.json
2025-09-03 14:35:47,022 - MainThread - botocore.hooks - DEBUG - Event building-command-table.s3api: calling handler <function add_waiters at 0x000001BBAA98F240>
2025-09-03 14:35:47,058 - MainThread - botocore.loaders - DEBUG - Loading JSON file: C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\data\s3\2006-03-01\waiters-2.json
2025-09-03 14:35:47,058 - MainThread - botocore.hooks - DEBUG - Event building-command-table.s3api: calling handler <bound method AliasSubCommandInjector.on_building_command_table of <awscli.alias.AliasSubCommandInjector object at 0x000001BBAA99EF90>>
2025-09-03 14:35:47,059 - MainThread - awscli.clidriver - DEBUG - OrderedDict({'bucket': <awscli.arguments.CLIArgument object at 0x000001BBAACA42F0>, 'if-match': <awscli.arguments.CLIArgument object at 0x000001BBAACA8190>, 'if-modified-since': <awscli.arguments.CLIArgument object at 0x000001BBAACA82D0>, 'if-none-match': <awscli.arguments.CLIArgument object at 0x000001BBAAA72D70>, 'if-unmodified-since': <awscli.arguments.CLIArgument object at 0x000001BBAAA72EA0>, 'key': <awscli.arguments.CLIArgument object at 0x000001BBAAB097F0>, 'range': <awscli.arguments.CLIArgument object at 0x000001BBAAB9FDF0>, 'response-cache-control': <awscli.arguments.CLIArgument object at 0x000001BBAAB9FCE0>, 'response-content-disposition': <awscli.arguments.CLIArgument object at 0x000001BBAAC39250>, 'response-content-encoding': <awscli.arguments.CLIArgument object at 0x000001BBAAC39350>, 'response-content-language': <awscli.arguments.CLIArgument object at 0x000001BBAA9C74D0>, 'response-content-type': <awscli.arguments.CLIArgument object at 0x000001BBAA9C75C0>, 'response-expires': <awscli.arguments.CLIArgument object at 0x000001BBAAA3B310>, 'version-id': <awscli.arguments.CLIArgument object at 0x000001BBAAA3B3F0>, 'sse-customer-algorithm': <awscli.arguments.CLIArgument object at 0x000001BBAAC50940>, 'sse-customer-key': <awscli.arguments.CLIArgument object at 0x000001BBAABDD190>, 'sse-customer-key-md5': <awscli.arguments.CLIArgument object at 0x000001BBAABDD250>, 'request-payer': <awscli.arguments.CLIArgument object at 0x000001BBAAAD24C0>, 'part-number': <awscli.arguments.CLIArgument object at 0x000001BBAAAD2570>, 'expected-bucket-owner': <awscli.arguments.CLIArgument object at 0x000001BBAABC1450>, 'checksum-mode': <awscli.arguments.CLIArgument object at 0x000001BBAABC13B0>})
2025-09-03 14:35:47,060 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.s3api.get-object: calling handler <function add_streaming_output_arg at 0x000001BBAA98D4E0>
2025-09-03 14:35:47,060 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.s3api.get-object: calling handler <function add_cli_input_json at 0x000001BBAA29DE40>
2025-09-03 14:35:47,060 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.s3api.get-object: calling handler <function add_cli_input_yaml at 0x000001BBAA29EC00>
2025-09-03 14:35:47,060 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.s3api.get-object: calling handler <function unify_paging_params at 0x000001BBAA75DEE0>
2025-09-03 14:35:47,117 - MainThread - botocore.loaders - DEBUG - Loading JSON file: C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\data\s3\2006-03-01\paginators-1.json
2025-09-03 14:35:47,120 - MainThread - botocore.loaders - DEBUG - Loading JSON file: C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\data\s3\2006-03-01\paginators-1.sdk-extras.json
2025-09-03 14:35:47,120 - MainThread - botocore.hooks - DEBUG - Event building-argument-table.s3api.get-object: calling handler <function add_generate_skeleton at 0x000001BBAA86A520>
2025-09-03 14:35:47,121 - MainThread - botocore.hooks - DEBUG - Event building-command-table.s3api_get-object: calling handler <function add_waiters at 0x000001BBAA98F240>
2025-09-03 14:35:47,121 - MainThread - botocore.hooks - DEBUG - Event building-command-table.s3api_get-object: calling handler <bound method AliasSubCommandInjector.on_building_command_table of <awscli.alias.AliasSubCommandInjector object at 0x000001BBAA99EF90>>
2025-09-03 14:35:47,125 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.get-object.bucket: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000001BBAA99FA10>
2025-09-03 14:35:47,125 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.s3.get-object: calling handler <awscli.argprocess.ParamShorthandParser object at 0x000001BBAA99D2B0>
2025-09-03 14:35:47,125 - MainThread - awscli.arguments - DEBUG - Unpacked value of 'bucket' for parameter "bucket": 'bucket'
2025-09-03 14:35:47,125 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.get-object.if-match: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000001BBAA99FA10>
2025-09-03 14:35:47,126 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.get-object.if-modified-since: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000001BBAA99FA10>
2025-09-03 14:35:47,126 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.get-object.if-none-match: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000001BBAA99FA10>
2025-09-03 14:35:47,126 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.get-object.if-unmodified-since: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000001BBAA99FA10>
2025-09-03 14:35:47,126 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.get-object.key: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000001BBAA99FA10>
2025-09-03 14:35:47,126 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.s3.get-object: calling handler <awscli.argprocess.ParamShorthandParser object at 0x000001BBAA99D2B0>
2025-09-03 14:35:47,126 - MainThread - awscli.arguments - DEBUG - Unpacked value of 'path/to/key.parquet' for parameter "key": 'path/to/key.parquet'
2025-09-03 14:35:47,127 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.get-object.range: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000001BBAA99FA10>
2025-09-03 14:35:47,127 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.s3.get-object: calling handler <awscli.argprocess.ParamShorthandParser object at 0x000001BBAA99D2B0>
2025-09-03 14:35:47,127 - MainThread - awscli.arguments - DEBUG - Unpacked value of 'bytes=-8' for parameter "range": 'bytes=-8'
2025-09-03 14:35:47,127 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.get-object.response-cache-control: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000001BBAA99FA10>
2025-09-03 14:35:47,127 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.get-object.response-content-disposition: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000001BBAA99FA10>
2025-09-03 14:35:47,127 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.get-object.response-content-encoding: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000001BBAA99FA10>
2025-09-03 14:35:47,127 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.get-object.response-content-language: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000001BBAA99FA10>
2025-09-03 14:35:47,127 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.get-object.response-content-type: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000001BBAA99FA10>
2025-09-03 14:35:47,128 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.get-object.response-expires: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000001BBAA99FA10>
2025-09-03 14:35:47,128 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.get-object.version-id: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000001BBAA99FA10>
2025-09-03 14:35:47,128 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.get-object.sse-customer-algorithm: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000001BBAA99FA10>
2025-09-03 14:35:47,128 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.get-object.sse-customer-key: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000001BBAA99FA10>
2025-09-03 14:35:47,128 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.get-object.sse-customer-key-md5: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000001BBAA99FA10>
2025-09-03 14:35:47,128 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.get-object.request-payer: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000001BBAA99FA10>
2025-09-03 14:35:47,128 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.get-object.part-number: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000001BBAA99FA10>
2025-09-03 14:35:47,128 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.get-object.expected-bucket-owner: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000001BBAA99FA10>
2025-09-03 14:35:47,129 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.get-object.checksum-mode: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000001BBAA99FA10>
2025-09-03 14:35:47,129 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.s3.get-object.outfile: calling handler <awscli.paramfile.URIArgumentHandler object at 0x000001BBAA99FA10>
2025-09-03 14:35:47,129 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: env
2025-09-03 14:35:47,129 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2025-09-03 14:35:47,129 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role-with-web-identity
2025-09-03 14:35:47,130 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: sso
2025-09-03 14:35:47,133 - MainThread - botocore.loaders - DEBUG - Loading JSON file: C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\data\endpoints.json
2025-09-03 14:35:47,144 - MainThread - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x000001BBA98B1300>
2025-09-03 14:35:47,186 - MainThread - botocore.loaders - DEBUG - Loading JSON file: C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\data\s3\2006-03-01\endpoint-rule-set-1.json
2025-09-03 14:35:47,189 - MainThread - botocore.loaders - DEBUG - Loading JSON file: C:\Program Files\Amazon\AWSCLIV2\awscli\botocore\data\partitions.json
2025-09-03 14:35:47,191 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.s3: calling handler <function add_generate_presigned_post at 0x000001BBA9819300>
2025-09-03 14:35:47,191 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.s3: calling handler <function add_generate_presigned_url at 0x000001BBA9819080>
2025-09-03 14:35:47,192 - MainThread - botocore.configprovider - DEBUG - Looking for endpoint for s3 via: environment_service
2025-09-03 14:35:47,192 - MainThread - botocore.configprovider - DEBUG - Looking for endpoint for s3 via: environment_global
2025-09-03 14:35:47,192 - MainThread - botocore.configprovider - DEBUG - Looking for endpoint for s3 via: config_service
2025-09-03 14:35:47,193 - MainThread - botocore.configprovider - DEBUG - Looking for endpoint for s3 via: config_global
2025-09-03 14:35:47,193 - MainThread - botocore.configprovider - DEBUG - No configured endpoint found.
2025-09-03 14:35:47,194 - MainThread - botocore.endpoint - DEBUG - Setting s3 timeout as (60, 60)
2025-09-03 14:35:47,196 - MainThread - botocore.utils - DEBUG - Registering S3 region redirector handler
2025-09-03 14:35:47,196 - MainThread - botocore.utils - DEBUG - Registering S3Express Identity Resolver
2025-09-03 14:35:47,197 - MainThread - botocore.hooks - DEBUG - Event provide-client-params.s3.GetObject: calling handler <function base64_decode_input_blobs at 0x000001BBAA29D620>
2025-09-03 14:35:47,197 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.s3.GetObject: calling handler <function sse_md5 at 0x000001BBA98B1940>
2025-09-03 14:35:47,198 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.s3.GetObject: calling handler <function validate_bucket_name at 0x000001BBA98B18A0>
2025-09-03 14:35:47,198 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.s3.GetObject: calling handler <function remove_bucket_from_url_paths_from_model at 0x000001BBA98B3A60>
2025-09-03 14:35:47,198 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.s3.GetObject: calling handler <bound method S3RegionRedirectorv2.annotate_request_context of <botocore.utils.S3RegionRedirectorv2 object at 0x000001BBAC5542F0>>
2025-09-03 14:35:47,199 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.s3.GetObject: calling handler <bound method S3ExpressIdentityResolver.inject_signing_cache_key of <botocore.utils.S3ExpressIdentityResolver object at 0x000001BBAC554440>>
2025-09-03 14:35:47,199 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.s3.GetObject: calling handler <function generate_idempotent_uuid at 0x000001BBA98B16C0>
2025-09-03 14:35:47,199 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.s3.GetObject: calling handler <function _handle_request_validation_mode_member at 0x000001BBA98CC0E0>
2025-09-03 14:35:47,199 - MainThread - botocore.hooks - DEBUG - Event before-endpoint-resolution.s3: calling handler <function customize_endpoint_resolver_builtins at 0x000001BBA98B3C40>
2025-09-03 14:35:47,199 - MainThread - botocore.hooks - DEBUG - Event before-endpoint-resolution.s3: calling handler <bound method S3RegionRedirectorv2.redirect_from_cache of <botocore.utils.S3RegionRedirectorv2 object at 0x000001BBAC5542F0>>
2025-09-03 14:35:47,200 - MainThread - botocore.regions - DEBUG - Calling endpoint provider with parameters: {'Bucket': 'bucket', 'Region': 'us-east-1', 'UseFIPS': False, 'UseDualStack': False, 'ForcePathStyle': False, 'Accelerate': False, 'UseGlobalEndpoint': False, 'Key': 'path/to/key.parquet', 'DisableMultiRegionAccessPoints': False, 'UseArnRegion': True}
2025-09-03 14:35:47,200 - MainThread - botocore.regions - DEBUG - Endpoint provider result: https://bucket.s3.us-east-1.amazonaws.com
2025-09-03 14:35:47,200 - MainThread - botocore.regions - DEBUG - Selecting from endpoint provider's list of auth schemes: "sigv4". User selected auth scheme is: "None"
2025-09-03 14:35:47,200 - MainThread - botocore.regions - DEBUG - Selected auth type "v4" as "v4" with signing context params: {'region': 'us-east-1', 'signing_name': 's3', 'disableDoubleEncoding': True}
2025-09-03 14:35:47,201 - MainThread - botocore.hooks - DEBUG - Event before-call.s3.GetObject: calling handler <function add_expect_header at 0x000001BBA98B1C60>
2025-09-03 14:35:47,201 - MainThread - botocore.hooks - DEBUG - Event before-call.s3.GetObject: calling handler <bound method S3ExpressIdentityResolver.apply_signing_cache_key of <botocore.utils.S3ExpressIdentityResolver object at 0x000001BBAC554440>>
2025-09-03 14:35:47,202 - MainThread - botocore.hooks - DEBUG - Event before-call.s3.GetObject: calling handler <function inject_api_version_header_if_needed at 0x000001BBA98B31A0>
2025-09-03 14:35:47,202 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=GetObject) with params: {'url_path': '/path/to/key.parquet', 'query_string': {}, 'method': 'GET', 'headers': {'Range': 'bytes=-8', 'x-amz-checksum-mode': 'ENABLED', 'User-Agent': 'aws-cli/2.28.21 md/awscrt#0.27.5 ua/2.1 os/windows#11 md/arch#amd64 lang/python#3.13.7 md/pyimpl#CPython m/b,E,Z cfg/retry-mode#standard md/installer#exe sid/b642394ecc13 md/prompt#off md/command#s3api.get-object'}, 'body': b'', 'auth_path': '/bucket/path/to/key.parquet', 'url': 'https://bucket.s3.us-east-1.amazonaws.com/path/to/key.parquet', 'context': {'client_region': 'us-east-1', 'client_config': <botocore.config.Config object at 0x000001BBAACA8F50>, 'has_streaming_input': False, 'auth_type': 'v4', 'unsigned_payload': None, 'auth_options': ['aws.auth#sigv4'], 's3_redirect': {'redirected': False, 'bucket': 'bucket', 'params': {'Bucket': 'bucket', 'Key': 'path/to/key.parquet', 'Range': 'bytes=-8', 'ChecksumMode': 'ENABLED'}}, 'S3Express': {'bucket_name': 'bucket'}, 'signing': {'region': 'us-east-1', 'signing_name': 's3', 'disableDoubleEncoding': True}, 'endpoint_properties': {'authSchemes': [{'disableDoubleEncoding': True, 'name': 'sigv4', 'signingName': 's3', 'signingRegion': 'us-east-1'}]}, 'checksum': {'response_algorithms': ['crc64nvme', 'crc32c', 'crc32', 'sha1', 'sha256']}}}
2025-09-03 14:35:47,203 - MainThread - botocore.hooks - DEBUG - Event request-created.s3.GetObject: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x000001BBAACA57F0>>
2025-09-03 14:35:47,203 - MainThread - botocore.hooks - DEBUG - Event choose-signer.s3.GetObject: calling handler <function set_operation_specific_signer at 0x000001BBA98B14E0>
2025-09-03 14:35:47,203 - MainThread - botocore.hooks - DEBUG - Event before-sign.s3.GetObject: calling handler <function remove_arn_from_signing_path at 0x000001BBA98B3BA0>
2025-09-03 14:35:47,203 - MainThread - botocore.hooks - DEBUG - Event before-sign.s3.GetObject: calling handler <function _set_extra_headers_for_unsigned_request at 0x000001BBA98CC360>
2025-09-03 14:35:47,203 - MainThread - botocore.hooks - DEBUG - Event before-sign.s3.GetObject: calling handler <bound method S3ExpressIdentityResolver.resolve_s3express_identity of <botocore.utils.S3ExpressIdentityResolver object at 0x000001BBAC554440>>
2025-09-03 14:35:47,206 - MainThread - botocore.credentials - DEBUG - Credentials for role retrieved from cache.
2025-09-03 14:35:47,206 - MainThread - botocore.credentials - DEBUG - Retrieved credentials will expire at: 2025-09-04 04:00:36+00:00
2025-09-03 14:35:47,207 - MainThread - botocore.auth - DEBUG - Calculating signature using v4 auth.
2025-09-03 14:35:47,207 - MainThread - botocore.auth - DEBUG - CanonicalRequest:
GET
/path/to/key.parquet

host:bucket.s3.us-east-1.amazonaws.com
range:bytes=-8
x-amz-checksum-mode:ENABLED
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date:20250903T193547Z
x-amz-security-token:tokentokentoken

host;range;x-amz-checksum-mode;x-amz-content-sha256;x-amz-date;x-amz-security-token
hash?
2025-09-03 14:35:47,207 - MainThread - botocore.auth - DEBUG - StringToSign:
AWS4-HMAC-SHA256
20250903T193547Z
20250903/us-east-1/s3/aws4_request
hash?
2025-09-03 14:35:47,208 - MainThread - botocore.auth - DEBUG - Signature:
sig
2025-09-03 14:35:47,208 - MainThread - botocore.hooks - DEBUG - Event request-created.s3.GetObject: calling handler <bound method UserAgentString.rebuild_and_replace_user_agent_handler of <botocore.useragent.UserAgentString object at 0x000001BBAACAA210>>
2025-09-03 14:35:47,208 - MainThread - botocore.endpoint - DEBUG - Sending http request: <AWSPreparedRequest stream_output=True, method=GET, url=https://bucket.s3.us-east-1.amazonaws.com/path/to/key.parquet, headers={'Range': b'bytes=-8', 'x-amz-checksum-mode': b'ENABLED', 'User-Agent': b'aws-cli/2.28.21 md/awscrt#0.27.5 ua/2.1 os/windows#11 md/arch#amd64 lang/python#3.13.7 md/pyimpl#CPython m/b,E,Z cfg/retry-mode#standard md/installer#exe sid/b642394ecc13 md/prompt#off md/command#s3api.get-object', 'X-Amz-Date': b'20250903T193547Z', 'X-Amz-Security-Token': b'token', 'X-Amz-Content-SHA256': b'hash', 'Authorization': b'AWS4-HMAC-SHA256 Credential=keyID/20250903/us-east-1/s3/aws4_request, SignedHeaders=host;range;x-amz-checksum-mode;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=token'}>
2025-09-03 14:35:47,209 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTPS connection (1): bucket.s3.us-east-1.amazonaws.com:443
2025-09-03 14:35:47,969 - MainThread - urllib3.connectionpool - DEBUG - https://bucket.s3.us-east-1.amazonaws.com:443 "GET /path/to/key.parquet HTTP/1.1" 403 None
2025-09-03 14:35:47,970 - MainThread - botocore.httpchecksum - INFO - Skipping checksum validation. Response did not contain one of the following algorithms: ['crc64nvme', 'crc32c', 'crc32', 'sha1', 'sha256'].
2025-09-03 14:35:47,970 - MainThread - botocore.hooks - DEBUG - Event before-parse.s3.GetObject: calling handler <function _handle_200_error at 0x000001BBA98B3EC0>
2025-09-03 14:35:47,970 - MainThread - botocore.hooks - DEBUG - Event before-parse.s3.GetObject: calling handler <function handle_expires_header at 0x000001BBA98B3CE0>
2025-09-03 14:35:47,970 - MainThread - botocore.parsers - DEBUG - Response headers: {'Date': 'Wed, 03 Sep 2025 19:35:47 GMT', 'Content-Type': 'application/xml', 'Transfer-Encoding': 'chunked', 'Connection': 'keep-alive', 'x-amz-request-id': '1J5S4C729A8BNKB7', 'x-amz-id-2': 'hostid', 'Server': 'AmazonS3', 'Via': 'HTTP/1.1 m_proxy_prod_aws_us-east-2_1_1n'}
2025-09-03 14:35:47,971 - MainThread - botocore.parsers - DEBUG - Response body:
b'<?xml version="1.0" encoding="UTF-8"?>\n<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><AWSAccessKeyId>accesskeyid</AWSAccessKeyId><StringToSign>AWS4-HMAC-SHA256\n20250903T193547Z\n20250903/us-east-1/s3/aws4_request\nhash</StringToSign><SignatureProvided>sig</SignatureProvided><StringToSignBytes>bytes</StringToSignBytes><CanonicalRequest>GET\n/path/to/key.parquet\n\nhost:ppad-processing-processed-datanode-output-prod.s3.us-east-1.amazonaws.com\nrange:\nx-amz-checksum-mode:ENABLED\nx-amz-content-sha256:hash\nx-amz-date:20250903T193547Z\nx-amz-security-token:token\n\nhost;range;x-amz-checksum-mode;x-amz-content-sha256;x-amz-date;x-amz-security-token\ntoken</CanonicalRequest><CanonicalRequestBytes>bytes</CanonicalRequestBytes><RequestId>1J5S4C729A8BNKB7</RequestId><HostId>hostid</HostId></Error>'
2025-09-03 14:35:47,974 - MainThread - botocore.hooks - DEBUG - Event needs-retry.s3.GetObject: calling handler <function _update_status_code at 0x000001BBA98CC040>
2025-09-03 14:35:47,974 - MainThread - botocore.hooks - DEBUG - Event needs-retry.s3.GetObject: calling handler <bound method RetryHandler.needs_retry of <botocore.retries.standard.RetryHandler object at 0x000001BBAC5541A0>>
2025-09-03 14:35:47,975 - MainThread - botocore.retries.standard - DEBUG - Not retrying request.
2025-09-03 14:35:47,975 - MainThread - botocore.hooks - DEBUG - Event needs-retry.s3.GetObject: calling handler <bound method S3RegionRedirectorv2.redirect_from_error of <botocore.utils.S3RegionRedirectorv2 object at 0x000001BBAC5542F0>>
2025-09-03 14:35:47,975 - MainThread - botocore.hooks - DEBUG - Event after-call.s3.GetObject: calling handler <bound method StreamingOutputArgument.save_file of <awscli.customizations.streamingoutputarg.StreamingOutputArgument object at 0x000001BBAACA46E0>>
2025-09-03 14:35:47,975 - MainThread - botocore.hooks - DEBUG - Event after-call.s3.GetObject: calling handler <function enhance_error_msg at 0x000001BBAA97EDE0>
2025-09-03 14:35:47,975 - MainThread - botocore.hooks - DEBUG - Event after-call.s3.GetObject: calling handler <bound method RetryQuotaChecker.release_retry_quota of <botocore.retries.standard.RetryQuotaChecker object at 0x000001BBAACA6F90>>
2025-09-03 14:35:47,976 - MainThread - awscli.clidriver - DEBUG - Exception caught in main()
Traceback (most recent call last):
  File "awscli\clidriver.py", line 517, in main
  File "awscli\clidriver.py", line 654, in __call__
  File "awscli\clidriver.py", line 871, in __call__
  File "awscli\clidriver.py", line 1007, in invoke
  File "awscli\clidriver.py", line 1021, in _make_client_call
  File "awscli\botocore\client.py", line 438, in _api_call
  File "awscli\botocore\context.py", line 124, in wrapper
  File "awscli\botocore\client.py", line 907, in _make_api_call
botocore.exceptions.ClientError: An error occurred (SignatureDoesNotMatch) when calling the GetObject operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

An error occurred (SignatureDoesNotMatch) when calling the GetObject operation: The request signature we calculated does not match the signature you provided. Check your key and signing method.

the error response is where i'm seeing the range header value not included in the canonical request, which would throw off the signature. let me know if there's anything else i can provide.