AWS introduced a new signing process ("v4") for requests some time ago, and has no longer accepts older signatures ("v2") in some datacenters. We have updated Phabricator to use the newer v4 signature method. Installs that use S3 are impacted by this change, and will need to update two configuration settings. Once the configuration is updated, service will resume normally.
Installs that use blob storage (the default), local disk, or another storage engine are not impacted and can ignore this change.
The new AWS signature method requires an explicit `region` specification, so the new `amazon-s3.region` setting is now mandatory. Additionally, the `amazon-s3.endpoint` setting has become mandatory. Although we could sometimes guess the correct endpoint, endpoint names are irregular in the general case and AWS may introduce new, irregularly named endpoints in the future, so trying to guess our way through this seemed dicey.
After upgrading, you will receive a setup warning about a partially configured S3 integration if you have some keys set but are missing some required keys. To resolve this, configure `amazon-s3.region` and `amazon-s3.endpoint`. Once they are configured, everything should work correctly again.
You can find a list of regions and endpoints here, in the AWS documentation:
Likely, the actual change will look something like this:
phabricator/ $ ./bin/config set amazon-s3.region us-west-1
phabricator/ $ ./bin/config set amazon-s3.endpoint s3-us-west-1.amazonaws.com
The correct values may vary for your setup (consult the AWS documentation table), and you may already have `amazon-s3.endpoint` configured correctly.
You can find some additional discussion in T5155 and T7163.