-
Notifications
You must be signed in to change notification settings - Fork 573
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot upload files via a pre-signed URL to buckets with enforced server-side-encryption #1576
Comments
After some digging in the request pre-signer code, I found the part that is responsible for moving This code hoists all headers starting with |
Using const url = await s3V2.getSignedUrlPromise("putObject", {
Bucket,
ContentDisposition,
ContentType,
Key,
ServerSideEncryption,
});
/*
This produces something similar to:
https://my-bucket.s3.amazonaws.com/my/key?
Content-Type=image%2Fpng&
X-Amz-Algorithm=AWS4-HMAC-SHA256&
X-Amz-Credential=ACCESSKEY%2F20201019%2Fus-east-1%2Fs3%2Faws4_request&
X-Amz-Date=20201019T145206Z&
X-Amz-Expires=3600&
X-Amz-Signature=ab09bf88717c30daa6fca8d8add3f0b1b2403a64ef18f175284e12fa88f9a49e&
X-Amz-SignedHeaders=content-disposition%3Bhost%3Bx-amz-server-side-encryption&
x-amz-server-side-encryption=AES256
*/ Notice that in the above example |
@vecerek Thanks a lot for the deep dive you already done. As it mentioned in conversation in ruby SDK, S3 requires I will add a config to |
@AllanZhengYP do I understand correctly that the |
@vecerek Yes, |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread. |
Describe the bug
Cannot generate a correct presigned URL for buckets with enforced server-side-encryption. Similar to the issue in aws-sdk-ruby and to this SO question.
SDK version number
v3; 1.0.0-gamma.4
Is the issue in the browser/Node.js/ReactNative?
Node.js
Details of the browser/Node.js/ReactNative version
v14.11.0
To Reproduce (observed behavior)
Have a bucket policy containing a
DenyIncorrectEncryptionHeader
and aDenyUnEncryptedObjectUploads
statement like so:Server-side code:
Client-side code:
The above command results in
HTTP/1.1 403 Forbidden
:Notice that
x-amz-server-side-encryption
does not have the same casing as the otherX-Amz
query params and follows theX-Amz-SignedHeaders
param. Should it probably be part of the signed headers instead of being a query param?If I decide to not send the
X-Amz-Server-Side-Encryption
header along the client-side request, I get the followingHTTP/1.1 403 Forbidden
error:Also, I was able to confirm that removing the two statements from the bucket policy results in a successful file upload. However, that is not an acceptable/possible workaround.
Expected behavior
I expect the curl command to result in
200 OK
and an uploaded file in the bucket.Screenshots
If applicable, add screenshots to help explain your problem.
Additional context
Add any other context about the problem here.
Dependencies:
The text was updated successfully, but these errors were encountered: