I am having a frustrating issue. I use MINIO as a object storage platform. I have it deployed in Open shift and in my open shift I have ambassador for routing. So when I use the direct route using ocp I am able to generate pre signed url and create buckets... so everything is fine but as soon I use ambasador as follows:

kind: Service
metadata:
  annotations:
    getambassador.io/config: |
      ---
      apiVersion: ambassador/v1
      kind: Mapping
      name: _api_minio
      service: "http://minio-svc:9000"
      prefix: /api/minio/
      rewrite: /
      bypass_auth: true
      host: ocicp8.xxx.xxx.xxxx.com
      add_response_headers:
        Strict-Transport-Security: max-age=15552000; includeSubDomains
        X-Frame-Options: SAMEORIGIN

So using ocicp8.xxx.xxx.xxxx.com/api/minio instead of direct route give me the following when I reach minio presigned url:

So I thought it might be because of rewrite: / and this issue happens so I changes my ambassador to the following:

  ---
  apiVersion: ambassador/v1
  kind: Mapping
  name: _api_minio10
  service: "http://minio-svc:9000"
  prefix: /minio/
  rewrite: ""
  bypass_auth: true
  host: ocicp8.xxx.xxx.xxxx.com
  add_response_headers:
    Strict-Transport-Security: max-age=15552000; includeSubDomains
    X-Frame-Options: SAMEORIGIN

As you see I changed rewrite: "" and now the redirection does not happen so as soon as I try the generated presigned url I get:

So now I am totally confused since the message is not really accurate as when I use the route not created by ambassador I am able to access access the file using presigned url so this message "access to this bucket is denied" is nonsense and misleading but I am not sure what is really happening. I do appreciate if anyone can help me