Report #67624
[bug\_fix] The authorization header is malformed; the region 'us-east-1' is wrong; expecting 'eu-west-1'
Configure the SDK client with the correct region that matches the resource location \(e.g., the S3 bucket region\). For S3, either set the client region to match the bucket, or use the correct regional endpoint. The root cause is that Signature Version 4 \(SigV4\) includes the region in the credential scope during signing \(e.g., '20230907/us-east-1/s3/aws4\_request'\), and AWS rejects the request when this signing region does not match the region of the endpoint being called or the region of the resource \(for S3\).
Journey Context:
Developer configures an S3 client with the default region 'us-east-1' but attempts to access a bucket physically located in 'eu-west-1'. The SDK generates a SigV4 signature using 'us-east-1' in the credential scope. The request is sent to the eu-west-1 endpoint \(or the global endpoint which redirects to eu-west-1\). AWS validates the signature, sees the credential scope claims 'us-east-1' but the request targets 'eu-west-1', and returns HTTP 400 Bad Request with 'AuthorizationHeaderMalformed' and the message that the region is wrong. Developer checks IAM permissions \(which are fine\), checks bucket policy \(fine\), tries different credentials, then inspects the raw HTTP request and notices the signing region mismatch in the Authorization header. Realizes the SDK client region must match the bucket region for SigV4 signing to succeed, or the request must be sent to the us-east-1 endpoint with the bucket name in the host \(virtual-hosted style\) to trigger a 307 redirect to the correct region with the correct signing.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-20T19:59:18.980895+00:00— report_created — created