DocsAWS 101Blog
← Back to Blog

S3 PutObject conditional writes and a Cognito JWT iss region fix

May 21, 2026 · v1.3.46

One new S3 feature (conditional writes, matching the AWS launch from November 2024) and one Cognito JWT correctness fix.

S3 PutObject conditional writes — If-None-Match and If-Match

If-None-Match: "*" gives you create-once semantics (write only if no object exists at that key), and If-Match: "<etag>" gives you optimistic concurrency (write only if the current object still has the etag you saw). Both are now enforced on PutObject, matching the AWS feature shipped November 2024.

Precondition violations return 412 PreconditionFailed, with one documented exception: If-Match: "<etag>" against a missing key returns 404 NoSuchKey per the AWS user guide. ETag comparison strips surrounding quotes on both sides so clients that quote and clients that don't both work. The symmetric x-amz-copy-source-if-match headers on CopyObject were already supported; this closes the gap on plain PutObject. Contributed by @mattcookio.

Cognito JWT iss claim uses the pool's region, not the request region

When a SigV4 scope carried a different region from the pool's creation region (e.g. a client calling cognito-idp in us-west-2 against a pool created in us-east-1), MiniStack stamped the JWT iss claim with the request region, so the issuer no longer matched the pool ID prefix. Standards-compliant validators that check iss == https://cognito-idp.<region>.amazonaws.com/<poolId> rejected the token.

A new _pool_region(pool_id) resolver parses the region directly from the pool ID ({region}_{suffix}) and is applied to: the JWT iss claim, the PreTokenGeneration trigger event region, the user-pool ARN, the OIDC discovery issuer, and the hosted-UI CloudFront URL returned by CreateUserPoolDomain / DescribeUserPoolDomain. The parser accepts 3-segment commercial regions and 4-segment GovCloud / ISO regions (us-gov-east-1, us-iso-east-1, etc.). Contributed by @subrotosanyal.

Upgrade

docker pull ministackorg/ministack:1.3.46
docker run -d -p 4566:4566 ministackorg/ministack:1.3.46

Or pin in compose.yaml:

services:
  ministack:
    image: ministackorg/ministack:1.3.46
    ports:
      - "4566:4566"

Stay in sync

Issues and PRs welcome on GitHub. Discussion on r/ministack.