Unable to use presigned url created by assumed role token in credentials

[pritamrungta]

Getting the following error:

Originally posted by @pritamrungta in https://github.com/aws-samples/sigv4a-signing-examples/issues/10#issuecomment-2162191721

[jhart0]

@pritamrungta - which example are you trying to run?

I've just tested using the Python example and it works as expected using temporary credentials as long as the AWS_SESSION_TOKEN environment variable is set:

from sigv4a_sign import SigV4ASign
import requests 

service = 's3'
region = '*'
method = 'GET'
url = 'https://mt1k8sfqb8iom.mrap.accesspoint.s3-global.amazonaws.com/sample_data.csv'

headers = SigV4ASign().get_headers_basic(service, region, method, url)
r = requests.get(url, headers=headers)
print(f'status_code: {r.status_code} \nobject text: {r.text}')

[pritamrungta]

Hey @jhart0

I tried the above script with AWS_SESSION_TOKEN set in environment and still get the same error message.

Headers:

{'host': '***.mrap.accesspoint.s3-global.amazonaws.com', 'X-Amz-Security-Token': '***', 'X-Amz-Date': '20240620T042415Z', 'X-Amz-Region-Set': '*', 'x-amz-content-sha256': 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855', 'Authorization': 'AWS4-ECDSA-P256-SHA256 Credential=ASIA5VAA23GQCPWHIFME/20240620/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-region-set;x-amz-security-token, Signature=304502205d5b141c8bd5d91dc95f93f63841b03476025f9c39d1cb20b0cb56c4fa400b74022100c794cd4914bc210e527a8148882d341c28de784844753319383f03fbbc1b9104'}

Response:

status_code: 400
object text: <?xml version="1.0" encoding="UTF-8"?>
<Error><Code>UnsupportedSignature</Code><Message>The provided request is signed with an unsupported STS Token version or the signature version is not supported.</Message><RequestId>CB32HXXYSAFWDTDK</RequestId><HostId>pKzqb+Tr7qTRJ3hwEOgogmtDZFZ7RujiQV/1qh1YFeZif9x1+6xNXYozSfWqDTJmY+iWp+GkZgg=</HostId></Error>

Note: The assumed role has admin privileges and it works with plain aws cli commands.

[jhart0]

Thanks for testing that @pritamrungta. Can you confirm what version of the awscrt & botocore packages you are using please? If it is not the latest, please try updating to the latest version and testing again.

[pritamrungta]

Here are my versions (which seem to be almost the latest ones):

python = 3.12.3
awscrt = 0.20.11
botocore = 1.34.130

[jhart0]

Okay, I have been able to recreate your issue. It is the sts endpoint being used to generate the temporary credentials.

See here for details: https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiRegionAccessPointRestrictions.html

To use SigV4A with temporary security credentials—for example, when using AWS Identity and Access Management (IAM) roles—you can request the temporary credentials from a Regional AWS Security Token Service (AWS STS) endpoint. If you request temporary credentials from the global AWS STS endpoint (sts.amazonaws.com), then you must first set the Region compatibility of session tokens for the global endpoint to be valid in all AWS Regions. For more information, see [Managing AWS STS in an AWS Region](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) in the IAM User Guide.

If I change the sts endpoint (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html#sts-regions-manage-tokens) to use V1Token, I get the same error as you. When I change it back to V2Token, the error is resolved using the global sts endpoint.

[pritamrungta]

I see. So, if I switch STS to generate V2Token for presigning s3-global multi-region access points, will it still work with plain s3 bucket presigning which currently uses Sig V4 using HMAC-SHA256?

[jhart0]

Yes, but as with any account-level change you should test thoroughly in a development environment first.

[pritamrungta]

Sure. Thanks for your help. That note in the docs did go unnoticed by me 😅