Open aldy120 opened 3 years ago
If you forward Host header or use wrong endpoint, you'll get the error. https://github.com/aldy120/s3-note/issues/4#issuecomment-701917495
OAI will conflict to S3 signed URL.
curl -v 'https://d3lswt64kswme3.cloudfront.net/archive.tgz?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAUXOIYM7XYQRKV2OL%2F20210408%2Feu-west-1%2Fs3%2Faws4_request&X-Amz-Date=20210408T143443Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=e2a69fdcdc798fec6b49a31edab336ac7725b684e6c8b6b0a519c4c4a5da0bc5'
* Trying 13.32.170.202...
* TCP_NODELAY set
* Connected to d3lswt64kswme3.cloudfront.net (13.32.170.202) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=*.cloudfront.net
* start date: Feb 22 00:00:00 2021 GMT
* expire date: Feb 21 23:59:59 2022 GMT
* subjectAltName: host "d3lswt64kswme3.cloudfront.net" matched cert's "*.cloudfront.net"
* issuer: C=US; O=DigiCert Inc; CN=DigiCert Global CA G2
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fd092008200)
> GET /archive.tgz?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAUXOIYM7XYQRKV2OL%2F20210408%2Feu-west-1%2Fs3%2Faws4_request&X-Amz-Date=20210408T143443Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=e2a69fdcdc798fec6b49a31edab336ac7725b684e6c8b6b0a519c4c4a5da0bc5 HTTP/2
> Host: d3lswt64kswme3.cloudfront.net
> User-Agent: curl/7.64.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 400
< content-type: application/xml
< date: Thu, 08 Apr 2021 14:39:28 GMT
< server: AmazonS3
< x-cache: Error from cloudfront
< via: 1.1 1679d4f06b5f1d02b9d3d9343e40b5cd.cloudfront.net (CloudFront)
< x-amz-cf-pop: LHR62-C5
< x-amz-cf-id: ULN4rnDYiFhQL3GnxRBu_L8h91XAMHeT-xug1hkv70swbkPiQXzU2g==
<
<?xml version="1.0" encoding="UTF-8"?>
* Connection #0 to host d3lswt64kswme3.cloudfront.net left intact
<Error><Code>InvalidArgument</Code><Message>Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter, Signature query string parameter or the Authorization header should be specified</Message><ArgumentName>Authorization</ArgumentName><ArgumentValue>AWS4-HMAC-SHA256 Credential=AKIAIA45NARA5SHUQ4JA/20210408/eu-west-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=bcf8f80fa7522265ffe805d1478d71a28c0a7c14a9d8c491988a3edca29c99bb</ArgumentValue><RequestId>743G1HSNS3C7KJNR</RequestId><HostId>LCbYf7i4K2Y2yKrM2oBWWXn7MpJLqO4rF9yG0oFnAmWnuPa9Xfky0tLbfT/lPylZL6x4iWpX4Ig=</HostId></Error>* Closing connection 0
In rare use-cases, we need to pass query strings singed sigv4 to S3 origin.
Note: Please don't forward Host header in CloudFront.