How to use the S3-Compatible API with Virtualmin (or how to get rid of that darn “The V2 signature authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256” error message)

The Problem

Yesterday, I was setting up a new web server. On the management side of things, I decided to use the powerful combination of Webmin/Virtualmin.

When I first used Virtualmin back in the day (which was a Wednesday, by the way), the only cloud backup options available to use were Amazon’s S3 and RackSpace Cloud Files. At the time, Backblaze B2 (my preferred cloud storage provider) was still in its infancy and only provided the option to use their proprietary developed API.

Fast-forward to 2022, Virtualmin now allows ‘S3-compatible’ servers for backup and B2 now supports the S3 API.

The setup itself is pretty standard. Enter your Access Key, Secret Key, and the S3-compatible endpoint URL. Should be simple enough, right? After entering my B2 information, I navigated over to the ‘Amazon S3 Buckets’ page in an attempt to load my available buckets. That’s when the error came up.

One or more errors occurred listing your S3 buckets : Failed to list S3 buckets : The V2 signature authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256

Virtualmin

Well then.

Troubleshooting

The first thing I did was check the credentials I entered in the Virtualmin settings, which were correct. The next thing was a Google search which brought me to a ticket asking for a Virtualmin update to prevent this issue. This is where I learned they switched from using their own implementation to using the aws-cli tools already available. So I headed over to Amazon, downloaded the cli, and installed it. As an extra precaution, I also set the full path the tool in Virtualmin (System Settings > Virtualmin Configuration > Backup and Restore > Full path to aws command for S3 operations). For me, this was /usr/local/bin/aws. “Surely that will fix it”, I thought. Nope!

It was then I had the thought that maybe I was focusing too much on the “Please use AWS4-HMAC-SHA256” portion of the error. So the next word that jumped out at me was “authorization” and, wouldn’t you know it: the stored credentials were wrong. In the Vurtualmin WebUI, everything was correct, but in the aws cli credentials file, the Application Key was also in the Secret Key value (for reference, the aws cli credentials file is normally located at /root/.aws/credentials).

[001ed00000000000000000026]
aws_access_key_id = 001ed00000000000000000026
aws_secret_access_key = K001S000000000000000000agjn4

Back to the Buckets List, and there were my B2 buckets.

So why did the wrong credentials show up in the ‘credentials’ file when the web interface showed the correct details? I have 2 guesses. Either:

1. Virtualmin wrote the credentials to the file incorrectly, or
2. I accidently put my Application Key in the Secret Key field, hit save, entered the correct value, hit save again, but Virtualmin didn’t update the file (only the web interface).

As everything is now working correctly, combined with a lack of free time, I decided to forego diving deeper to investigate the exact cause.

Summary (Solution)

When using Virtualmin and S3-compatible storage, you may receive the error message:

"One or more errors occurred listing your S3 buckets : Failed to list S3 buckets : The V2 signature authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256"

That same error might also have nothing to do with AWS4-HMAC-SHA256 (well, not specifically, and at least not in my case).

To reiterate the steps I took to correct this error:

1. Download and install the latest aws cli tool
2. On Virtualmin, navigate to System Settings > Virtualmin Configuration > Backup and Restore (located in the drop-down menu at the top).
3. In the ‘Full path to aws command for S3 operations’ field, enter the aws cli path (mine was ‘/usr/local/bin/aws‘) (sidenote: this step may not be needed, but it doesn’t hurt either)
4. Open up the aws cli credentials file (mine was under ‘/root/.aws/credentials‘).
5. Make sure the file is in the following format:

[<Application Key>]
aws_access_key_id = <Application Key>
aws_secret_access_key = <Secret Key>

After saving the credentials file, I was able to navigate to ‘Backups and Restore > Amazon S3 Buckets” and see my buckets listed correctly without the error.

While I was using Backblaze B2 and not AWS S3, I have no doubt the same steps will correct either platform (or any S3-compatible storage provider, really). Hopefully, this helps someone out there.