search

aws / aws-sdk-js

AWS SDK for JavaScript in the browser and Node.js
https://aws.amazon.com/developer/language/javascript/
Apache License 2.0
7.59k stars 1.55k forks source link

'The provided token is malformed or otherwise invalid' when setting region to ap-east-1 #4129

Closed rizmanharizfple closed 1 week ago

rizmanharizfple commented 2 years ago

Describe the bug

A node server generates a SignedUrl which will be used to upload a file to s3 bucket. Existing code, which previously worked with multiple ap-southeast-1 buckets. On changing the to a bucket in ap-east-1, all attempts to upload a file using the signedUrl result in 'The provided token is malformed or otherwise invalid.' message from s3.

Expected Behavior

When sending a PUT request with the url generated by the SDK with a file as the body, file would be uploaded to the specified bucket.

Current Behavior

On sending the PUT request with credentials to ap-east-1 bucket, s3 returns the following: 

<?xml version="1.0" encoding="UTF-8"?>
<Error>
    <Code>InvalidToken</Code>
    <Message>The provided token is malformed or otherwise invalid.</Message>
    <Token-0>FwoGZXIvYXdzENP//////////wEaDMs0xgrLnOAu9exb9yKsAatGicBu2IE4ENfFViXecuC+xM9Eur15ZPX7QZ2iWK01EJ9nDMG09u6v4/LPy3yvRLuQKn/L72+BnmWYNrshL81jNaWQyFrO30/PH+l3yhEC+Isracghu+21ByWodzLH6z0Oc5xHfCapLV3QoOIffewnw5RNDcNMF4PMB4R3bk57QH1t5EAp43NJek5JNHBHe7vWoJcZXaF8WGiA+HnISiKti4ZgoScJO75Op4EoiqivlQYyLZRU7KHFjqzHDm212qgmKQ0JIoZoCcI6cl86tYC5+B4WRHtfA3ik3IFMQMj7Mw==</Token-0>
    <RequestId>1CZ55252PH6J0X4R</RequestId>
    <HostId>Y/tAzV5O3KyYH1kVcfY74BIpr1Y5wwJzln0ftzsVfprvZFNtl0irW8nM3WLHunuKpK1WFdJVqEg=</HostId>
</Error>

Reproduction Steps

Running the following code generates a url in the response. Sending a PUT request to that URL with Postman/in the browser results in the "Invalid Token" error, but only for ap-east-buckets

const AWS = require('aws-sdk');
AWS.config.update({
    region: "ap-east-1",
    accessKeyId: "someAccessKey",
    secretAccessKey: "someSecretKey",
});

var sts = new AWS.STS();

return new Promise((resolve,reject)=>{
    sts.assumeRole(params, async function (err, data) {
        var s3 = new AWS.S3({
            accessKeyId: data.Credentials.AccessKeyId,
            secretAccessKey: data.Credentials.SecretAccessKey,
            sessionToken: data.Credentials.SessionToken,
        });
        s3.getSignedUrl(
            'putObject',
            {
                Bucket: "selectedBucket",
                Key: "someFileName",
                ContentType: "someFileType",
                ContentDisposition: 'inline',
                Expires: 900, // time in seconds: e.g. 60 * 5 = 5 mins
            },
            (err, url) => {
                if (err) {
                    return resolve({
                        status: false,
                        err: err,
                        code: 202,
                    });
                }
                resolve({
                    status: true,
                    key: data.Credentials,
                    bucket: "selectedBucket",
                    region: "ap-east-1,
                    path: "someFileName",
                    url
                });
            }
        );
    })
})

Possible Solution

Likely something is different with ap-east-1 but I am unsure what that could be.

Additional Information/Context

I have read in other threads that this happens when using the CLI because ap-east-1 is not available by default and must be activated prior to using it. According to account owner, this has been done. Is there any way to verify externally?

SDK version used

2.1155.0

Environment details (OS name and version, etc.)

Node running on Windows, Ubuntu Docker Container. URL used in browser & in Postman

ajredniwja commented 2 years ago

Hey @rizmanharizfple thanks for opening this issue, the statement above is true for regions disabled by default.

Do you see the issue if you explicitly mention the endpoint when initializing the STS client. https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/STS.html#assumeRole-property

github-actions[bot] commented 2 years ago

This issue has not received a response in 1 week. If you still think there is a problem, please leave a comment to avoid the issue from automatically closing.

rizmanharizfple commented 2 years ago

On specifying the endpoint like so:

var sts = new AWS.STS({
            accessKeyId: STSCon.accessKey,
            secretAccessKey: STSCon.secretKey,
            endpoint: "sts.ap-east-1.amazonaws.com"
        });

... I get a SignatureDoesNotMatch errror response instead:

<?xml version="1.0" encoding="UTF-8"?>
<Error>
    <Code>SignatureDoesNotMatch</Code>
    <Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message>
    <AWSAccessKeyId>ASIA43LUKFW2VTREFKUG</AWSAccessKeyId>
    <StringToSign>AWS4-HMAC-SHA256
20220623T010039Z
20220623/ap-east-1/s3/aws4_request
d9b2957c27886a14b20cbf9d12b4f637da8f735093b3075a11f1ac74efc11e33</StringToSign>
    <SignatureProvided>aa968248695e1fa617040f0a83e56964065cff5c675b199140bb5f89fb66adbc</SignatureProvided>
    <StringToSignBytes>41 57 53 34 2d 48 4d 41 43 2d 53 48 41 32 35 36 0a 32 30 32 32 30 36 32 33 54 30 31 30 30 33 39 5a 0a 32 30 32 32 30 36 32 33 2f 61 70 2d 65 61 73 74 2d 31 2f 73 33 2f 61 77 73 34 5f 72 65 71 75 65 73 74 0a 64 39 62 32 39 35 37 63 32 37 38 38 36 61 31 34 62 32 30 63 62 66 39 64 31 32 62 34 66 36 33 37 64 61 38 66 37 33 35 30 39 33 62 33 30 37 35 61 31 31 66 31 61 63 37 34 65 66 63 31 31 65 33 33</StringToSignBytes>
    <CanonicalRequest>PUT
/app_profile/development/1655946038447/montaron.bmp
Content-Type=image%2Fbmp&amp;X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Credential=ASIA43LUKFW2VTREFKUG%2F20220623%2Fap-east-1%2Fs3%2Faws4_request&amp;X-Amz-Date=20220623T010039Z&amp;X-Amz-Expires=900&amp;X-Amz-Security-Token=IQoJb3JpZ2luX2VjEFEaCWFwLWVhc3QtMSJIMEYCIQDEGYn12t3Nq5S8bg81cZsK%2BEmNhpu8Xk3IVj%2B5juFtlQIhAIOy4BqfeAnwmNeQ%2BVjkaR4vSZRMyiTIxKQXeaplWzi7KpUCCGoQABoMODgzMzk2NTg2OTMzIgzXyIjFr5%2FE1RoMUesq8gE%2FES83rqUxMdj7jsdTX99Ik4l%2BjN%2FBhUc2aL6IXInqMibx5nn4Bha58lejOb58DJNx2AuemU6ntNKOsb3CvBfwq%2B%2Bc5zDb8A6ul2v1VLNFgKJlj3KeXZsZ%2BPU9axVR0G3h1ZzhEvOPtMaluF%2BAUcPGYjSDXM9eaH6ppCy3CfaAZC0bRvlmWXErw8P8vi0U61iVfIMuv%2Fw%2Bcyo%2BF3JLebCdZHchyfyi9NUisPbkVrUajcisZoYVwvs3Iw9VrAa7EeT2aHvFBo3fT9dBjJ24s6sCtswiX6lVPxujUOpwsEW433PAZ5f8k720DkgLNZl23pIbKzC29s6VBjqcAawo2C2kehgLije0AbZHhraMB2CUQsZdaONiXrN%2F42RjBMNMV8dYhDqLx%2FNNGj84gMfm%2B6ZBS%2BitDH83oaCv%2FIejmBzi%2FJQpMWSkJhY3vPDcDOfglI2PVKYzvG4Ys0ACvOPKewW%2FSZyGIsWH6M9yLj5eTXoGjmOY36i5DjiDombSIFfd0fgJzk1itoqMlHNodm%2B1jdykWr%2FjGed5ZQ%3D%3D&amp;X-Amz-SignedHeaders=content-disposition%3Bhost
content-disposition:
host:some-hk_bucket.s3.ap-east-1.amazonaws.com

content-disposition;host
UNSIGNED-PAYLOAD</CanonicalRequest>
    <CanonicalRequestBytes>50 55 54 0a 2f 61 70 70 5f 70 72 6f 66 69 6c 65 2f 64 65 76 65 6c 6f 70 6d 65 6e 74 2f 31 36 35 35 39 34 36 30 33 38 34 34 37 2f 6d 6f 6e 74 61 72 6f 6e 2e 62 6d 70 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3d 69 6d 61 67 65 25 32 46 62 6d 70 26 58 2d 41 6d 7a 2d 41 6c 67 6f 72 69 74 68 6d 3d 41 57 53 34 2d 48 4d 41 43 2d 53 48 41 32 35 36 26 58 2d 41 6d 7a 2d 43 72 65 64 65 6e 74 69 61 6c 3d 41 53 49 41 34 33 4c 55 4b 46 57 32 56 54 52 45 46 4b 55 47 25 32 46 32 30 32 32 30 36 32 33 25 32 46 61 70 2d 65 61 73 74 2d 31 25 32 46 73 33 25 32 46 61 77 73 34 5f 72 65 71 75 65 73 74 26 58 2d 41 6d 7a 2d 44 61 74 65 3d 32 30 32 32 30 36 32 33 54 30 31 30 30 33 39 5a 26 58 2d 41 6d 7a 2d 45 78 70 69 72 65 73 3d 39 30 30 26 58 2d 41 6d 7a 2d 53 65 63 75 72 69 74 79 2d 54 6f 6b 65 6e 3d 49 51 6f 4a 62 33 4a 70 5a 32 6c 75 58 32 56 6a 45 46 45 61 43 57 46 77 4c 57 56 68 63 33 51 74 4d 53 4a 49 4d 45 59 43 49 51 44 45 47 59 6e 31 32 74 33 4e 71 35 53 38 62 67 38 31 63 5a 73 4b 25 32 42 45 6d 4e 68 70 75 38 58 6b 33 49 56 6a 25 32 42 35 6a 75 46 74 6c 51 49 68 41 49 4f 79 34 42 71 66 65 41 6e 77 6d 4e 65 51 25 32 42 56 6a 6b 61 52 34 76 53 5a 52 4d 79 69 54 49 78 4b 51 58 65 61 70 6c 57 7a 69 37 4b 70 55 43 43 47 6f 51 41 42 6f 4d 4f 44 67 7a 4d 7a 6b 32 4e 54 67 32 4f 54 4d 7a 49 67 7a 58 79 49 6a 46 72 35 25 32 46 45 31 52 6f 4d 55 65 73 71 38 67 45 25 32 46 45 53 38 33 72 71 55 78 4d 64 6a 37 6a 73 64 54 58 39 39 49 6b 34 6c 25 32 42 6a 4e 25 32 46 42 68 55 63 32 61 4c 36 49 58 49 6e 71 4d 69 62 78 35 6e 6e 34 42 68 61 35 38 6c 65 6a 4f 62 35 38 44 4a 4e 78 32 41 75 65 6d 55 36 6e 74 4e 4b 4f 73 62 33 43 76 42 66 77 71 25 32 42 25 32 42 63 35 7a 44 62 38 41 36 75 6c 32 76 31 56 4c 4e 46 67 4b 4a 6c 6a 33 4b 65 58 5a 73 5a 25 32 42 50 55 39 61 78 56 52 30 47 33 68 31 5a 7a 68 45 76 4f 50 74 4d 61 6c 75 46 25 32 42 41 55 63 50 47 59 6a 53 44 58 4d 39 65 61 48 36 70 70 43 79 33 43 66 61 41 5a 43 30 62 52 76 6c 6d 57 58 45 72 77 38 50 38 76 69 30 55 36 31 69 56 66 49 4d 75 76 25 32 46 77 25 32 42 63 79 6f 25 32 42 46 33 4a 4c 65 62 43 64 5a 48 63 68 79 66 79 69 39 4e 55 69 73 50 62 6b 56 72 55 61 6a 63 69 73 5a 6f 59 56 77 76 73 33 49 77 39 56 72 41 61 37 45 65 54 32 61 48 76 46 42 6f 33 66 54 39 64 42 6a 4a 32 34 73 36 73 43 74 73 77 69 58 36 6c 56 50 78 75 6a 55 4f 70 77 73 45 57 34 33 33 50 41 5a 35 66 38 6b 37 32 30 44 6b 67 4c 4e 5a 6c 32 33 70 49 62 4b 7a 43 32 39 73 36 56 42 6a 71 63 41 61 77 6f 32 43 32 6b 65 68 67 4c 69 6a 65 30 41 62 5a 48 68 72 61 4d 42 32 43 55 51 73 5a 64 61 4f 4e 69 58 72 4e 25 32 46 34 32 52 6a 42 4d 4e 4d 56 38 64 59 68 44 71 4c 78 25 32 46 4e 4e 47 6a 38 34 67 4d 66 6d 25 32 42 36 5a 42 53 25 32 42 69 74 44 48 38 33 6f 61 43 76 25 32 46 49 65 6a 6d 42 7a 69 25 32 46 4a 51 70 4d 57 53 6b 4a 68 59 33 76 50 44 63 44 4f 66 67 6c 49 32 50 56 4b 59 7a 76 47 34 59 73 30 41 43 76 4f 50 4b 65 77 57 25 32 46 53 5a 79 47 49 73 57 48 36 4d 39 79 4c 6a 35 65 54 58 6f 47 6a 6d 4f 59 33 36 69 35 44 6a 69 44 6f 6d 62 53 49 46 66 64 30 66 67 4a 7a 6b 31 69 74 6f 71 4d 6c 48 4e 6f 64 6d 25 32 42 31 6a 64 79 6b 57 72 25 32 46 6a 47 65 64 35 5a 51 25 33 44 25 33 44 26 58 2d 41 6d 7a 2d 53 69 67 6e 65 64 48 65 61 64 65 72 73 3d 63 6f 6e 74 65 6e 74 2d 64 69 73 70 6f 73 69 74 69 6f 6e 25 33 42 68 6f 73 74 0a 63 6f 6e 74 65 6e 74 2d 64 69 73 70 6f 73 69 74 69 6f 6e 3a 0a 68 6f 73 74 3a 62 65 74 61 64 69 61 2d 69 6e 73 2d 70 76 74 68 6b 2e 73 33 2e 61 70 2d 65 61 73 74 2d 31 2e 61 6d 61 7a 6f 6e 61 77 73 2e 63 6f 6d 0a 0a 63 6f 6e 74 65 6e 74 2d 64 69 73 70 6f 73 69 74 69 6f 6e 3b 68 6f 73 74 0a 55 4e 53 49 47 4e 45 44 2d 50 41 59 4c 4f 41 44</CanonicalRequestBytes>
    <RequestId>X1AWAY84DAK16DMQ</RequestId>
    <HostId>aYk6X5so2Tb/lN14f8orpEyYY6MMcM/BofZNGIedFhTVkiHDKo87244yyJgxhlv6BeIqseA043Y=</HostId>
</Error>

Extra update: Another team was working in parallel with the bucket using Laravel, and was able to upload files to the bucket. So the bucket is likely already enabled

aBurmeseDev commented 3 weeks ago

Hi @rizmanharizfple - sorry for the long silence here. The issue you're experiencing with the "The provided token is malformed or otherwise invalid" error is likely related to the session token.

The assumeRole method in the AWS SDK returns temporary security credentials, including an access key, a secret key, and a session token. The session token is used for authentication when making requests to AWS services and is typically required when using temporary credentials.

In your code, you're creating a new instance of the AWS.S3 object with the accessKeyId, secretAccessKey, and sessionToken obtained from the assumeRole response. However, it seems that you're not including the sessionToken when generating the signed URL using s3.getSignedUrl.

To resolve this issue, you should include the sessionToken when generating the signed URL. Let me know if you need further assistance.

github-actions[bot] commented 1 week ago

This issue has not received a response in 1 week. If you still think there is a problem, please leave a comment to avoid the issue from automatically closing.