Skip to main content

GCS Signature Error Analysis

Error Response (2026-01-06)

<?xml version='1.0' encoding='UTF-8'?>
<Error>
  <Code>SignatureDoesNotMatch</Code>
  <Message>Access denied.</Message>
  <Details>The request signature we calculated does not match the signature you provided. Check your Google secret key and signing method.</Details>
  <StringToSign>GOOG4-RSA-SHA256
20260106T185637Z
20260106/auto/storage/goog4_request
a3005759c86a46a83f25f7e49c6ffa4de624aeb6f056b681b4791faf64977d5e</StringToSign>
  <CanonicalRequest>PUT
/payroll-onboarding-files/onboarding/tenant%3Dcreative_benefit_strategies/org%3Dcreative_healthcare/file_id%3D32d880a8-d848-4f5d-a59d-5ca5f5051011/test.csv
Content-Type=text%2Fcsv&amp;X-Goog-Algorithm=GOOG4-RSA-SHA256&amp;X-Goog-Credential=238826317621-compute%40developer.gserviceaccount.com%2F20260106%2Fauto%2Fstorage%2Fgoog4_request&amp;X-Goog-Date=20260106T185637Z&amp;X-Goog-Expires=300&amp;X-Goog-SignedHeaders=host
host:storage.googleapis.com

host
UNSIGNED-PAYLOAD</CanonicalRequest>
</Error>

Issues Identified

  1. Signature Format: Need to verify if signature should be HEX (not base64)
  2. Canonical Request Format:
    • Should have double newline between canonical_headers and signed_headers
    • Current format shows single newline
  3. Content-Type Handling:
    • Content-Type is in query string but NOT in signed headers
    • SignedHeaders=host only
    • This means Content-Type should NOT be sent as HTTP header in PUT request
  4. Query String Encoding:
    • Note: &amp; in XML is just XML escaping, not the actual URL
    • Actual URL has raw & characters (verified)

Expected Canonical Request Format

PUT
{canonical_uri}
{canonical_query_string}
{canonical_headers}

{signed_headers}
{payload_hash}
Note the double newline between headers and signed_headers.