Closed rizmanharizfple closed 1 week ago
Hey @rizmanharizfple thanks for opening this issue, the statement above is true for regions disabled by default.
Do you see the issue if you explicitly mention the endpoint when initializing the STS client. https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/STS.html#assumeRole-property
This issue has not received a response in 1 week. If you still think there is a problem, please leave a comment to avoid the issue from automatically closing.
On specifying the endpoint like so:
var sts = new AWS.STS({
accessKeyId: STSCon.accessKey,
secretAccessKey: STSCon.secretKey,
endpoint: "sts.ap-east-1.amazonaws.com"
});
... I get a SignatureDoesNotMatch
errror response instead:
<?xml version="1.0" encoding="UTF-8"?>
<Error>
<Code>SignatureDoesNotMatch</Code>
<Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message>
<AWSAccessKeyId>ASIA43LUKFW2VTREFKUG</AWSAccessKeyId>
<StringToSign>AWS4-HMAC-SHA256
20220623T010039Z
20220623/ap-east-1/s3/aws4_request
d9b2957c27886a14b20cbf9d12b4f637da8f735093b3075a11f1ac74efc11e33</StringToSign>
<SignatureProvided>aa968248695e1fa617040f0a83e56964065cff5c675b199140bb5f89fb66adbc</SignatureProvided>
<StringToSignBytes>41 57 53 34 2d 48 4d 41 43 2d 53 48 41 32 35 36 0a 32 30 32 32 30 36 32 33 54 30 31 30 30 33 39 5a 0a 32 30 32 32 30 36 32 33 2f 61 70 2d 65 61 73 74 2d 31 2f 73 33 2f 61 77 73 34 5f 72 65 71 75 65 73 74 0a 64 39 62 32 39 35 37 63 32 37 38 38 36 61 31 34 62 32 30 63 62 66 39 64 31 32 62 34 66 36 33 37 64 61 38 66 37 33 35 30 39 33 62 33 30 37 35 61 31 31 66 31 61 63 37 34 65 66 63 31 31 65 33 33</StringToSignBytes>
<CanonicalRequest>PUT
/app_profile/development/1655946038447/montaron.bmp
Content-Type=image%2Fbmp&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA43LUKFW2VTREFKUG%2F20220623%2Fap-east-1%2Fs3%2Faws4_request&X-Amz-Date=20220623T010039Z&X-Amz-Expires=900&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEFEaCWFwLWVhc3QtMSJIMEYCIQDEGYn12t3Nq5S8bg81cZsK%2BEmNhpu8Xk3IVj%2B5juFtlQIhAIOy4BqfeAnwmNeQ%2BVjkaR4vSZRMyiTIxKQXeaplWzi7KpUCCGoQABoMODgzMzk2NTg2OTMzIgzXyIjFr5%2FE1RoMUesq8gE%2FES83rqUxMdj7jsdTX99Ik4l%2BjN%2FBhUc2aL6IXInqMibx5nn4Bha58lejOb58DJNx2AuemU6ntNKOsb3CvBfwq%2B%2Bc5zDb8A6ul2v1VLNFgKJlj3KeXZsZ%2BPU9axVR0G3h1ZzhEvOPtMaluF%2BAUcPGYjSDXM9eaH6ppCy3CfaAZC0bRvlmWXErw8P8vi0U61iVfIMuv%2Fw%2Bcyo%2BF3JLebCdZHchyfyi9NUisPbkVrUajcisZoYVwvs3Iw9VrAa7EeT2aHvFBo3fT9dBjJ24s6sCtswiX6lVPxujUOpwsEW433PAZ5f8k720DkgLNZl23pIbKzC29s6VBjqcAawo2C2kehgLije0AbZHhraMB2CUQsZdaONiXrN%2F42RjBMNMV8dYhDqLx%2FNNGj84gMfm%2B6ZBS%2BitDH83oaCv%2FIejmBzi%2FJQpMWSkJhY3vPDcDOfglI2PVKYzvG4Ys0ACvOPKewW%2FSZyGIsWH6M9yLj5eTXoGjmOY36i5DjiDombSIFfd0fgJzk1itoqMlHNodm%2B1jdykWr%2FjGed5ZQ%3D%3D&X-Amz-SignedHeaders=content-disposition%3Bhost
content-disposition:
host:some-hk_bucket.s3.ap-east-1.amazonaws.com
content-disposition;host
UNSIGNED-PAYLOAD</CanonicalRequest>
<CanonicalRequestBytes>50 55 54 0a 2f 61 70 70 5f 70 72 6f 66 69 6c 65 2f 64 65 76 65 6c 6f 70 6d 65 6e 74 2f 31 36 35 35 39 34 36 30 33 38 34 34 37 2f 6d 6f 6e 74 61 72 6f 6e 2e 62 6d 70 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3d 69 6d 61 67 65 25 32 46 62 6d 70 26 58 2d 41 6d 7a 2d 41 6c 67 6f 72 69 74 68 6d 3d 41 57 53 34 2d 48 4d 41 43 2d 53 48 41 32 35 36 26 58 2d 41 6d 7a 2d 43 72 65 64 65 6e 74 69 61 6c 3d 41 53 49 41 34 33 4c 55 4b 46 57 32 56 54 52 45 46 4b 55 47 25 32 46 32 30 32 32 30 36 32 33 25 32 46 61 70 2d 65 61 73 74 2d 31 25 32 46 73 33 25 32 46 61 77 73 34 5f 72 65 71 75 65 73 74 26 58 2d 41 6d 7a 2d 44 61 74 65 3d 32 30 32 32 30 36 32 33 54 30 31 30 30 33 39 5a 26 58 2d 41 6d 7a 2d 45 78 70 69 72 65 73 3d 39 30 30 26 58 2d 41 6d 7a 2d 53 65 63 75 72 69 74 79 2d 54 6f 6b 65 6e 3d 49 51 6f 4a 62 33 4a 70 5a 32 6c 75 58 32 56 6a 45 46 45 61 43 57 46 77 4c 57 56 68 63 33 51 74 4d 53 4a 49 4d 45 59 43 49 51 44 45 47 59 6e 31 32 74 33 4e 71 35 53 38 62 67 38 31 63 5a 73 4b 25 32 42 45 6d 4e 68 70 75 38 58 6b 33 49 56 6a 25 32 42 35 6a 75 46 74 6c 51 49 68 41 49 4f 79 34 42 71 66 65 41 6e 77 6d 4e 65 51 25 32 42 56 6a 6b 61 52 34 76 53 5a 52 4d 79 69 54 49 78 4b 51 58 65 61 70 6c 57 7a 69 37 4b 70 55 43 43 47 6f 51 41 42 6f 4d 4f 44 67 7a 4d 7a 6b 32 4e 54 67 32 4f 54 4d 7a 49 67 7a 58 79 49 6a 46 72 35 25 32 46 45 31 52 6f 4d 55 65 73 71 38 67 45 25 32 46 45 53 38 33 72 71 55 78 4d 64 6a 37 6a 73 64 54 58 39 39 49 6b 34 6c 25 32 42 6a 4e 25 32 46 42 68 55 63 32 61 4c 36 49 58 49 6e 71 4d 69 62 78 35 6e 6e 34 42 68 61 35 38 6c 65 6a 4f 62 35 38 44 4a 4e 78 32 41 75 65 6d 55 36 6e 74 4e 4b 4f 73 62 33 43 76 42 66 77 71 25 32 42 25 32 42 63 35 7a 44 62 38 41 36 75 6c 32 76 31 56 4c 4e 46 67 4b 4a 6c 6a 33 4b 65 58 5a 73 5a 25 32 42 50 55 39 61 78 56 52 30 47 33 68 31 5a 7a 68 45 76 4f 50 74 4d 61 6c 75 46 25 32 42 41 55 63 50 47 59 6a 53 44 58 4d 39 65 61 48 36 70 70 43 79 33 43 66 61 41 5a 43 30 62 52 76 6c 6d 57 58 45 72 77 38 50 38 76 69 30 55 36 31 69 56 66 49 4d 75 76 25 32 46 77 25 32 42 63 79 6f 25 32 42 46 33 4a 4c 65 62 43 64 5a 48 63 68 79 66 79 69 39 4e 55 69 73 50 62 6b 56 72 55 61 6a 63 69 73 5a 6f 59 56 77 76 73 33 49 77 39 56 72 41 61 37 45 65 54 32 61 48 76 46 42 6f 33 66 54 39 64 42 6a 4a 32 34 73 36 73 43 74 73 77 69 58 36 6c 56 50 78 75 6a 55 4f 70 77 73 45 57 34 33 33 50 41 5a 35 66 38 6b 37 32 30 44 6b 67 4c 4e 5a 6c 32 33 70 49 62 4b 7a 43 32 39 73 36 56 42 6a 71 63 41 61 77 6f 32 43 32 6b 65 68 67 4c 69 6a 65 30 41 62 5a 48 68 72 61 4d 42 32 43 55 51 73 5a 64 61 4f 4e 69 58 72 4e 25 32 46 34 32 52 6a 42 4d 4e 4d 56 38 64 59 68 44 71 4c 78 25 32 46 4e 4e 47 6a 38 34 67 4d 66 6d 25 32 42 36 5a 42 53 25 32 42 69 74 44 48 38 33 6f 61 43 76 25 32 46 49 65 6a 6d 42 7a 69 25 32 46 4a 51 70 4d 57 53 6b 4a 68 59 33 76 50 44 63 44 4f 66 67 6c 49 32 50 56 4b 59 7a 76 47 34 59 73 30 41 43 76 4f 50 4b 65 77 57 25 32 46 53 5a 79 47 49 73 57 48 36 4d 39 79 4c 6a 35 65 54 58 6f 47 6a 6d 4f 59 33 36 69 35 44 6a 69 44 6f 6d 62 53 49 46 66 64 30 66 67 4a 7a 6b 31 69 74 6f 71 4d 6c 48 4e 6f 64 6d 25 32 42 31 6a 64 79 6b 57 72 25 32 46 6a 47 65 64 35 5a 51 25 33 44 25 33 44 26 58 2d 41 6d 7a 2d 53 69 67 6e 65 64 48 65 61 64 65 72 73 3d 63 6f 6e 74 65 6e 74 2d 64 69 73 70 6f 73 69 74 69 6f 6e 25 33 42 68 6f 73 74 0a 63 6f 6e 74 65 6e 74 2d 64 69 73 70 6f 73 69 74 69 6f 6e 3a 0a 68 6f 73 74 3a 62 65 74 61 64 69 61 2d 69 6e 73 2d 70 76 74 68 6b 2e 73 33 2e 61 70 2d 65 61 73 74 2d 31 2e 61 6d 61 7a 6f 6e 61 77 73 2e 63 6f 6d 0a 0a 63 6f 6e 74 65 6e 74 2d 64 69 73 70 6f 73 69 74 69 6f 6e 3b 68 6f 73 74 0a 55 4e 53 49 47 4e 45 44 2d 50 41 59 4c 4f 41 44</CanonicalRequestBytes>
<RequestId>X1AWAY84DAK16DMQ</RequestId>
<HostId>aYk6X5so2Tb/lN14f8orpEyYY6MMcM/BofZNGIedFhTVkiHDKo87244yyJgxhlv6BeIqseA043Y=</HostId>
</Error>
Extra update: Another team was working in parallel with the bucket using Laravel, and was able to upload files to the bucket. So the bucket is likely already enabled
Hi @rizmanharizfple - sorry for the long silence here. The issue you're experiencing with the "The provided token is malformed or otherwise invalid" error is likely related to the session token.
The assumeRole method in the AWS SDK returns temporary security credentials, including an access key, a secret key, and a session token. The session token is used for authentication when making requests to AWS services and is typically required when using temporary credentials.
In your code, you're creating a new instance of the AWS.S3 object with the accessKeyId, secretAccessKey, and sessionToken obtained from the assumeRole response. However, it seems that you're not including the sessionToken when generating the signed URL using s3.getSignedUrl.
To resolve this issue, you should include the sessionToken when generating the signed URL. Let me know if you need further assistance.
This issue has not received a response in 1 week. If you still think there is a problem, please leave a comment to avoid the issue from automatically closing.
Describe the bug
A node server generates a SignedUrl which will be used to upload a file to s3 bucket. Existing code, which previously worked with multiple ap-southeast-1 buckets. On changing the to a bucket in ap-east-1, all attempts to upload a file using the signedUrl result in 'The provided token is malformed or otherwise invalid.' message from s3.
Expected Behavior
When sending a PUT request with the url generated by the SDK with a file as the body, file would be uploaded to the specified bucket.
Current Behavior
On sending the PUT request with credentials to ap-east-1 bucket, s3 returns the following:
Reproduction Steps
Running the following code generates a url in the response. Sending a PUT request to that URL with Postman/in the browser results in the "Invalid Token" error, but only for ap-east-buckets
Possible Solution
Likely something is different with ap-east-1 but I am unsure what that could be.
Additional Information/Context
I have read in other threads that this happens when using the CLI because ap-east-1 is not available by default and must be activated prior to using it. According to account owner, this has been done. Is there any way to verify externally?
SDK version used
2.1155.0
Environment details (OS name and version, etc.)
Node running on Windows, Ubuntu Docker Container. URL used in browser & in Postman