@smanjara Could you take a look at this and see if it seems reasonable? Thank you.

FYI - The signature was missing the body when it wanted to forward the request (cd43689)
CC: @cbodley

the first commit dealing with rgwx-zonegroup looks correct to me.
but the commits 6873f06 and cd43689 don't seem necessary. if there is a CreateBucketConfiguration body, the payload hash will be created on the requesting zone, making it part of the forwarded request. before #59960, this forwarded request would fail with -ERR_AMZ_CONTENT_SHA256_MISMATCH because it was treated as an empty payload and expects it to contain an empty checksum matching here due to absence of request body.
is there any other scenario I am missing?

When the request is being forwarded, it will be forwarded via the system account. that has a different secret/access key than the original request, So the new Authz Signature must be generated by the system account's secrets including the body (cd43689).

Regarding (6873f06), right if we have #59960 merged then that wouldn't be a problem... and I guess logically with the function name ("forward") we can eliminate the coverage of this behavior. I'll drop it.

I guess the third commit was a consequence of my second commit :)
I couldn't think/reproduce what I had... for now I kept the first commit here.

Thanks for the review @smanjara - Do we need qa on this? if so can you please add the needs-qa label so someone could pick this up on his/her next qa run?

this commit was added into #60254. closing the pr.