What happened?
When using the sigv4auth extension with an OpenSearch backend against AWS Managed OpenSearch (VPC-only, FGAC disabled, IAM-only access), all HTTP requests with bodies (POST _bulk, PUT _template) fail with elastic: Error 403 Forbidden. GET requests ( basically, version detection, health checks) all succeed.
The AWS-side error is: The request signature we calculated does not match the signature you provided.
Steps to reproduce
- Deploy Jaeger
v2.16.0 with sigv4auth extension configured for an AWS Managed OpenSearch domain (VPC-only, IAM-only access, no FGAC)
- Configure
http_compression: false (this may be unneeded, I wanted to rule out gzip related issues)
- Observe that
GET requests succeed but all POST/PUT requests fail with 403
Expected behavior
All SigV4-signed requests should succeed, including bulk writes and template creation.
Relevant log output
2026-04-07T02:24:05.370Z error config/config.go:389 Elasticsearch could not process bulk request
{"resource": {"service.instance.id": "2b4a4310-3ed7-4e27-a6bc-0b932add51cf",
"service.name": "jaeger", "service.version": "v2.16.0"},
"otelcol.component.id": "jaeger_storage", "otelcol.component.kind": "extension",
"request_count": 39, "failed_count": 0,
"error": "elastic: Error 403 (Forbidden)", "response": null}Screenshot
No response
Additional context
No response
Jaeger backend version
v2.16.0
SDK
No response
Pipeline
No response
Stogage backend
AWS ElasticSearch
Operating system
Linux
Deployment model
Kubernetes
Deployment configs
What happened?
When using the sigv4auth extension with an OpenSearch backend against AWS Managed OpenSearch (VPC-only, FGAC disabled, IAM-only access), all HTTP requests with bodies (
POST _bulk, PUT _template) fail with elastic: Error 403 Forbidden.GETrequests ( basically, version detection, health checks) all succeed.The AWS-side error is:
The request signature we calculated does not match the signature you provided.Steps to reproduce
v2.16.0with sigv4auth extension configured for an AWS Managed OpenSearch domain (VPC-only, IAM-only access, no FGAC)http_compression: false(this may be unneeded, I wanted to rule out gzip related issues)GETrequests succeed but allPOST/PUTrequests fail with403Expected behavior
All SigV4-signed requests should succeed, including bulk writes and template creation.
Relevant log output
2026-04-07T02:24:05.370Z error config/config.go:389 Elasticsearch could not process bulk request {"resource": {"service.instance.id": "2b4a4310-3ed7-4e27-a6bc-0b932add51cf", "service.name": "jaeger", "service.version": "v2.16.0"}, "otelcol.component.id": "jaeger_storage", "otelcol.component.kind": "extension", "request_count": 39, "failed_count": 0, "error": "elastic: Error 403 (Forbidden)", "response": null}Screenshot
No response
Additional context
No response
Jaeger backend version
v2.16.0
SDK
No response
Pipeline
No response
Stogage backend
AWS ElasticSearch
Operating system
Linux
Deployment model
Kubernetes
Deployment configs