Can't authenticate with the R2 REST API

When we try to get a Object from the R2 storage, we always get the error “HTTP/1.1 401 Unauthorized”.

Here is an Example Packet.

For this sample packet we used :
access_key = ‘TestAccessKey’;
access_key_secret = ‘TestAccessKey_Secret’;
Bucket = ‘logos-original-weur’

For this packet we are getting this string to sign :

‘GET\n\nimage/jpeg\nTue, 18 Jul 2023 08:29:06 GMT\n/logos-original-weur/testbild.jpeg’

Witch signs as DhadBGFJklqpSHTtn//Yg5ne2Cs=

This example is just so you could reproduce our steps. We use a real Api_Token and a real Api_Token_Secret when we try to connect to the real R2 servers.

As far as i understand, we have to sign our packets with the TimeStamp we sent. Or do we have to know how the server would interpret the datetime stamp and have to know in wich format the server is storing its datetime value? I mean it should be very straight forward.

Also, if we calculate the signatures for the exsamples of this site then we get the correct signatures that they are getting. So the signature creation should be fine.

best regards

For all People how also struggle to get the API right. (We also tried to get the AWS4 signing right and always just get a “Bad Request” back, and re not able to install all the S3 Lybraries and CLIs etc.; but do have a curl in the bash, here is your solution. Curl can DO AWS4 signing:

Get Object:

curl --aws-sigv4 “aws:amz:auto:s3” --user “{API_Token}:{API_Secret}” https://{AccountID}{Bucket}/{ObjectID} --output {OutputFilename}

Create Object:

curl --aws-sigv4 “aws:amz:auto:s3” --user “{API_Token}:{API_Secret}” -T {SourceFilename} https://{AccountID}{Bucket}/{ObjectID}

Delete Object:

curl --aws-sigv4 “aws:amz:auto:s3” --user “{API_Token}:{API_Secret}” -X https://{AccountID}{Bucket}/{ObjectID}