-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
generate_presigned_url no longer works, gives: SignatureDoesNotMatch #1644
Comments
@Trogious I just have some questions to help narrow this down:
I suspect that the headers being signed in the presigned url are not the same as the headers the browser may be sending. |
This bug is true. The presigned url is outdated and does not output the same values as other SDKs (for example the Ruby one). |
@lu1s in your example (the output from boto3 I mean), have you used v4 signature or v2 (the old one)? |
Request headers:
Query string params parsed:
|
@Trogious I'm using the v1 I guess. At the end is the only method that boto3 has. I installed boto3 from pip3 so its version is 1.7.82, yet I don't know about which signature version it is). |
After several hours of hitting this same issue, changing the addressing_style to 'path' made everything work for me, including custom headers... See docs here: https://boto3.amazonaws.com/v1/documentation/api/latest/guide/s3.html#changing-the-addressing-style |
@imperio59 Fixed my issue, you da man! Does this mean the root of the issue is how DNS propogates through AWS for S3 buckets - and will go away on its own after all the propagation is done? |
@alexivkin I don't think so, I just think that's the URL style that works with this library :D |
@imperio59 's answer helped, but I also needed to set
boto3 1.9.28 (1.9.34 is latest available) |
@hamx0r Yes I also had to set the signature_version to s3v4 to make it work :) |
I'm having a similar problem, but I'm using django-storages library for interacting with boto3. can someone help me correct this? boto3=1.9.63 |
Hello @Senitram666 . Could you properly pre-sign the URL that it gets back to you with a |
Hello @lu1s |
Hello @Senitram666 , |
@lu1s There's nothing inherently wrong with either of those URLs you posted previously, just that they're using two different signature versions. It is possible that switching from It's also worth nothing that some regions only support SigV4 and you'll need to ensure that you're using it for those regions. Using the latest version of boto3 I was able to successfully generate and use a presigned URL created with all permutations of SigV2/SigV4 and path/virtual addressing style for a bucket that existed for quite some time. Let me know if that clears things up. |
This issue has been automatically closed because there has been no response to our request for more information from the original author. With only the information that is currently in the issue, we don't have enough information to take action. Please reach out if you have or find the answers we need so that we can investigate further. |
Thanks @Trogious ! I fixed it passing the s3 = session.client('s3',
config=boto3.session.Config(signature_version='s3v4'),
region_name='eu-central-1'
) |
Just In case none of the solutions above represents your case, however, I had a similar issue trying @sejas's solution, it did not work. In my case, I found that the Public Access Block was disabled for S3 bucket and just by enabling the Block it started working. |
I needed BOTH
... and then the functional part ...
Not sure how to make the URL last 7 days as requested. That has to do with the IAM I used, but working on it. |
Without addressing_style: path I get this log:
Which generates this url:
Which when opened redirects to this url:
Where CanonicalRequest changes the host too:
For some reason the code uses When I initialize the client with region specified, the local canonical host is still the same: Edit: got it working with |
Any reason why using s3v4 and setting addressing_style: path are not default behavior? Most of the time boto3 just seems to work, but presigned S3 URLs requires knowing about these special configurations. |
The browser gives a 403 and:
Signing with:
works perectly. The presigner profile has the same keys as the python code above.
Versions:
Python 3.7.0 (had the same issue with 3.6.*)
boto3-1.7.70
botocore-1.10.70
s3transfer-0.1.13
Please also read this: https://stackoverflow.com/questions/50213740/aws-s3-presigned-urls-with-boto3-signature-mismatch
The text was updated successfully, but these errors were encountered: