Misleading error creating s3 compatible logpush job with empty access key

When creating a new logpush job through the cloudflare api there is a misleading error when the destination_conf is configured for an s3-compatible endpoint, but has an empty access_key.

Example (note access-key-id has no value):

curl -X POST "https://api.cloudflare.com/client/v4/zones/<zone-id>/logpush/jobs"      \
	-H "X-Auth-Email: <email>"      \
	-H "X-Auth-Key: <auth-key>"      \
	-H "Content-Type: application/json"      \
	--data '{"dataset":"http_requests","destination_conf":"s3://<bucket-name>/http_logs/{DATE}?region=<bucket-region>&access-key-id=&secret-access-key=&endpoint=s3.<bucket-region>.amazonaws.com","logpull_options":"fields=ParentRayID&timestamps=unixnano","enabled":false}'

Returns error for empty ownership challenge, even though s3-compatible does not require one. Response:

{"errors":[{"code":1002,"message":"empty ownership challenge"}],"messages":[],"result":null,"success":false}

Ideally this should return an error for the access key. I suspect the api is treating it as an s3 logpush job, not an s3-compatible logpush job.

However, when an invalid access key is passed in it correctly returns an error for the access key which is expected:

curl -X POST "https://api.cloudflare.com/client/v4/zones/<zone-id>/logpush/jobs"      \
	-H "X-Auth-Email: <email>"      \
	-H "X-Auth-Key: <auth-key>"      \
	-H "Content-Type: application/json"      \
	--data '{"dataset":"http_requests","destination_conf":"s3://<bucket-name>/http_logs/{DATE}?region=<bucket-region>&access-key-id=&secret-access-key=&endpoint=s3.<bucket-region>.amazonaws.com","logpull_options":"fields=ParentRayID&timestamps=unixnano","enabled":false}'

Response:

{"errors":[{"code":1002,"message":"error validating destination: error writing object: error uploading to s3: InvalidAccessKeyId: The AWS Access Key Id you provided does not exist in our records. status code: 403, request id: CTRBCNH324TE9QRY, host id: <host-id>"}],"messages":[],"result":null,"success":false}

The invalid AWS Access Key Id would be more suitable for this error.

Hi @t.roberts,

The AWS Access Key Id you provided does not exist in our records is an error message returned by AWS S3 - Cloudflare is just forwarding the error message to you.
If you think AWS S3 should be returning a different message, the Amazon Developer Forums would probably be the place to make that suggestion :slight_smile:

Hi @albert

The problem is with the empty ownership challenge challenge error being returned - which comes from the cloudflare api.