Open pkage opened 1 year ago
This is either here in boto3 or deep in botocore. I'll peek into this, but this should definitely be a p0 bug -- There's no reason we should be building invalid pre-signed URLs.
The only reference to s3v4 in boto3 itself is in https://github.com/boto/boto3/blob/8a64e31f3defe3af3098bf641d9926c92c0b0589/tests/integration/test_s3.py#L502
This test isn't particularly conclusive either -- it tests the S3 transfer manager more than anything else.
looks still here for this bug, which makes some download not possible as
Signature Version 2 is being turned off (deprecated) in Amazon S3. Amazon S3 will then only accept API requests that are signed using Signature Version 4.
We received this response through AWS support on this issue
"During the investigation, The internal SDK team found that boto3 allows you to generate a presigned URL with the signed header x-amz-request-payer. However, the x-amz-request-payer header is not being passed in the presigned URL request. This occurs because boto3 is treating x-amz-request-payer as a header and not as a query parameter causing x-amz-request-payer to not be set in the header resulting in the presigned URL to return the error: SignatureDoesNotMatch [1]. For the presigned URL request to succeed, you would need to supply the x-amz-request-payer header to your presigned request as S3 API cannot supplement the query parameter as a standalone link with the current variant of SigV4."
In summary, a header of x-amz-request-payer: requester
needs to be included.
I consider this a partial solution. It's sufficient in scenarios where objects are being downloaded in backend scripts (where you have control over headers). But doesn't help if object is being downloaded in frontend, via opening link in new window.
Describe the bug
When generating a pre-signed RequesterPays S3 get_object URL with boto3, the generated URL is invalid if the signature method used is the recommended v4 signature method. Given that this is the recommended method for S3 signature authentication (and the only one supported in new regions such as
eu-central-1
), this makes creating these URLs impossible.It seems like the
X-Amz-Request-Payer
is not being properly added to the request, causing a signature mismatch on the AWS side when verifying the URL.Expected Behavior
Expected a valid presigned RequesterPays url, similar to using default (v2) authentication.
Current Behavior
S3 returns a
SignatureDoesNotMatch
error, with messageThe request signature we calculated does not match the signature you provided. Check your key and signing method.
. The full XML response is below:Full response
(with AWS AccessKeyIDs redacted) ```xmlSignatureDoesNotMatch
Reproduction Steps
(also as a gist, includes Poetry lockfile)
Possible Solution
In the
CanonicalRequest
section of the XML trace above,X-Amz-Request-Payer=requester
is not included as a parameter but is listed inX-Amz-Signed-Headers
. I suspect that that's the issue, but I'm not sure how to go about attaching that as it seems to be coming from the very depths ofboto3
.Additional Information/Context
Additionally, attempting to inject the header through the event system didn't seem to have any effect, though it's possible I'm misunderstanding something:
SDK version used
boto3 1.26.121
Environment details (OS name and version, etc.)
Python 3.10 on arm64-apple-darwin22.2.0