UnsupportedSigner getSignedUrl

[kyle-apex]

I recently changed from using aws-sdk and secret key credentials to this fork with apiKeyId and serviceInstanceId. So far so good with the exception of getSignedUrl has started throwing the error below. Do I need to change something to make it work with this type of authentication? Thanks!

const s3 = new AWS.S3({"apiKeyId": "<>",
            endpoint: 's3-api.us-geo.objectstorage.softlayer.net',
            ibmAuthEndpoint: "https://iam.ng.bluemix.net/oidc/token",
            "serviceInstanceId": "<>"
        });
var params = {Bucket : BucketName,
            Key : ObjectKey,
            Expires: ExpirationTime};

        s3.getSignedUrl('getObject', params, function(err, data) {
            if (err) {
                console.log('copyObject Error',err, err.stack); // an error occurred
            } else {
                console.log('copyObject Returned',data);        // successful response
            }
        });

UnsupportedSigner: Presigning only supports S3 or SigV4 signing.
    at Request.signedUrlBuilder (/Users/Kyle/apex-designer-latest/node_modules/ibm-cos-sdk/lib/signers/presign.js:35:26)
    at Request.callListeners (/Users/Kyle/apex-designer-latest/node_modules/ibm-cos-sdk/lib/sequential_executor.js:105:20)
    at Request.emit (/Users/Kyle/apex-designer-latest/node_modules/ibm-cos-sdk/lib/sequential_executor.js:77:10)
    at Request.emit (/Users/Kyle/apex-designer-latest/node_modules/ibm-cos-sdk/lib/request.js:671:14)
    at Request.transition (/Users/Kyle/apex-designer-latest/node_modules/ibm-cos-sdk/lib/request.js:22:10)

[nglange]

Unfortunately presigned URLs need to have a public/private key pair to calculate a signature. Soon the service credential will also provide an access/secret key pair that can be associated with an existing Service ID - this should be publicly available in the next couple of weeks.

[abe-m1]

I wanted to find out if there is an update to this issue regarding whether having an access/secret key pair is available, which would then would enable me to use the getSignedUrl method. Thanks!

[widget-]

@abe-m1 Bluemix can give you HMAC credentials now, which are the accesskeyid/secretaccesskey pair. If you use HMAC, be sure to also set signatureVersion: 'v4' when you provide the credentials.

[mriedem]

Are HMAC credentials with signatureVersion: 'v4' still the only way of getting pre-signed URLs with this library? I'm using version 1.10.0 and still hitting this error if I just try using an API token, which is suggested as the preferred way of using COS in the docs:

https://cloud.ibm.com/docs/cloud-object-storage?topic=cloud-object-storage-service-credentials#service-credentials-iam-hmac

In general IAM API Keys are the preferred method of authentication for IBM Cloud® Object Storage. HMAC is supported primarily for compatibility with an earlier version with applications which migrated from IaaS Object Storage and legacy S3 applications. IAM is also natively supported when developing applications with the COS SDKs. Token expiration and refresh are handled automatically to simplify the process.

[mriedem]

I guess https://cloud.ibm.com/docs/cloud-object-storage?topic=cloud-object-storage-presign-url also seems to suggest that HMAC is the only way to get a signed URL.

[mriedem]

I just noticed #88 and figured maybe that was my problem too, so I updated to the latest version (1.11.0) but I'm still getting the error:

UnsupportedSigner: Presigning only supports S3 or SigV4 signing.\n at Request.signedUrlBuilder (/home/osboxes/ibmq/sw-ibmq-results/node_modules/ibm-cos-sdk/lib/signers/presign.js:33:26)\n at Request.callListeners (/home/osboxes/ibmq/sw-ibmq-results/node_modules/ibm-cos-sdk/lib/sequential_executor.js:106:20)\n at Request.emit (/home/osboxes/ibmq/sw-ibmq-results/node_modules/ibm-cos-sdk/lib/sequential_executor.js:78:10)\n at Request.emit (/home/osboxes/ibmq/sw-ibmq-results/node_modules/ibm-cos-sdk/lib/request.js:683:14)\n at Request.transition (/home/osboxes/ibmq/sw-ibmq-results/node_modules/ibm-cos-sdk/lib/request.js:22:10)\n at AcceptorStateMachine.runTo (/home/osboxes/ibmq/sw-ibmq-results/node_modules/ibm-cos-sdk/lib/state_machine.js:14:12)\n at /home/osboxes/ibmq/sw-ibmq-results/node_modules/ibm-cos-sdk/lib/state_machine.js:26:10\n at Request. (/home/osboxes/ibmq/sw-ibmq-results/node_modules/ibm-cos-sdk/lib/request.js:38:9)\n at Request. (/home/osboxes/ibmq/sw-ibmq-results/node_modules/ibm-cos-sdk/lib/request.js:685:12)\n at Request.callListeners (/home/osboxes/ibmq/sw-ibmq-results/node_modules/ibm-cos-sdk/lib/sequential_executor.js:116:18)

I also tried setting signatureVersion: 'iam' but that doesn't help.

[nglange]

Yes, generating a presigned URL requires creating a client with HMAC credentials. In effect, a presigned URL is just v4 signature auth with the value passed in a query parameter instead of a header.

We had looked into the possibilities around using scoped or single-use tokens at one point, but at the time it wasn’t feasible. As as these libraries continue to be so tightly coupled to the S3 API, I imagine HMAC/v4 will remain the only way to generated a presigned URL.

On Tue, Mar 22, 2022 at 6:31 AM Matt Riedemann @.***> wrote:

I just noticed #88 https://github.com/IBM/ibm-cos-sdk-js/issues/88 and figured maybe that was my problem too, so I updated to the latest version (1.11.0) but I'm still getting the error:

UnsupportedSigner: Presigning only supports S3 or SigV4 signing.\n at Request.signedUrlBuilder (/home/osboxes/ibmq/sw-ibmq-results/node_modules/ibm-cos-sdk/lib/signers/presign.js:33:26)\n at Request.callListeners (/home/osboxes/ibmq/sw-ibmq-results/node_modules/ibm-cos-sdk/lib/sequential_executor.js:106:20)\n at Request.emit (/home/osboxes/ibmq/sw-ibmq-results/node_modules/ibm-cos-sdk/lib/sequential_executor.js:78:10)\n at Request.emit (/home/osboxes/ibmq/sw-ibmq-results/node_modules/ibm-cos-sdk/lib/request.js:683:14)\n at Request.transition (/home/osboxes/ibmq/sw-ibmq-results/node_modules/ibm-cos-sdk/lib/request.js:22:10)\n at AcceptorStateMachine.runTo (/home/osboxes/ibmq/sw-ibmq-results/node_modules/ibm-cos-sdk/lib/state_machine.js:14:12)\n at /home/osboxes/ibmq/sw-ibmq-results/node_modules/ibm-cos-sdk/lib/state_machine.js:26:10\n at Request. (/home/osboxes/ibmq/sw-ibmq-results/node_modules/ibm-cos-sdk/lib/request.js:38:9)\n at Request. (/home/osboxes/ibmq/sw-ibmq-results/node_modules/ibm-cos-sdk/lib/request.js:685:12)\n at Request.callListeners (/home/osboxes/ibmq/sw-ibmq-results/node_modules/ibm-cos-sdk/lib/sequential_executor.js:116:18)

I also tried setting signatureVersion: 'iam' but that doesn't help.

— Reply to this email directly, view it on GitHub https://github.com/IBM/ibm-cos-sdk-js/issues/11#issuecomment-1075183554, or unsubscribe https://github.com/notifications/unsubscribe-auth/AADLL7REVLVPCZRJTUP3A33VBHDTNANCNFSM4EGJVVDQ . You are receiving this because you commented.Message ID: @.***>

[mriedem]

Yes, generating a presigned URL requires creating a client with HMAC credentials. In effect, a presigned URL is just v4 signature auth with the value passed in a query parameter instead of a header.

Thanks for quickly responding and confirming. It may be nice to mention in the docs this caveat, especially that part about IAM vs HMAC and that it's not one or the other if you need to use pre-signed URLs.

[nglange]

For sure - I've made an update that will be published shortly. I appreciate you bringing this up.

This issue is also an interesting reminder that when COS was originally introduced as a Bluemix service, there was no support for AWS style access/secret keys. :(