From 53f3aed9d0b6e318f7bcfed71d997febb1f3f8a6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ant=C3=B4nio=20Franco?=
 <13881523+antoniomrfranco@users.noreply.github.com>
Date: Mon, 1 Jun 2026 15:41:30 -0300
Subject: [PATCH] aws: catch auth errors on XML responses
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Antônio Franco <13881523+antoniomrfranco@users.noreply.github.com>
---
 src/aws/flb_aws_util.c | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/src/aws/flb_aws_util.c b/src/aws/flb_aws_util.c
index dead873e39b..c53a151f910 100644
--- a/src/aws/flb_aws_util.c
+++ b/src/aws/flb_aws_util.c
@@ -346,16 +346,16 @@ int flb_aws_is_auth_error(char *payload, size_t payload_size)
         return FLB_FALSE;
     }
 
-    /* Fluent Bit calls the STS API which returns XML */
-    if (strcasestr(payload, "InvalidClientTokenId") != NULL) {
-        return FLB_TRUE;
-    }
-
-    if (strcasestr(payload, "AccessDenied") != NULL) {
-        return FLB_TRUE;
-    }
-
-    if (strcasestr(payload, "Expired") != NULL) {
+    /* STS, S3, and other AWS APIs return XML error responses */
+    if (strcasestr(payload, "InvalidClientTokenId") != NULL ||
+        strcasestr(payload, "AccessDenied") != NULL ||
+        strcasestr(payload, "Expired") != NULL ||
+        strcasestr(payload, "InvalidAccessKeyId") != NULL ||
+        strcasestr(payload, "SignatureDoesNotMatch") != NULL ||
+        strcasestr(payload, "InvalidToken") != NULL ||
+        strcasestr(payload, "InvalidSecurity") != NULL ||
+        strcasestr(payload, "TokenRefreshRequired") != NULL ||
+        strcasestr(payload, "InvalidSignature") != NULL) {
         return FLB_TRUE;
     }
 
@@ -372,6 +372,9 @@ int flb_aws_is_auth_error(char *payload, size_t payload_size)
             strcmp(error, "InvalidClientTokenId") == 0 ||
             strcmp(error, "InvalidToken") == 0 ||
             strcmp(error, "InvalidAccessKeyId") == 0 ||
+            strcmp(error, "InvalidSecurity") == 0 ||
+            strcmp(error, "TokenRefreshRequired") == 0 ||
+            strcmp(error, "InvalidSignature") == 0 ||
             strcmp(error, "UnrecognizedClientException") == 0) {
                 flb_sds_destroy(error);
             return FLB_TRUE;