Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

using pre-signed url for PUT returns SignatureDoesNotMatch using SSE-C

See original GitHub issue

If I use ServerSideEncryption this entire workflow is perfect. I can upload a file using the pre-signed url and offer a link to my end users without having to send any header information (in the PUT or GET).

However, switching over to use SSECustomerKey causes the same workflow to error out.

It generates the proper signed url for a PUT request, but when I attempt to upload it fails with a SignatureDoesNotMatch error.

I have seen in some other tickets that you have to send the same headers across when using a signedurl. However, I’m not sending those headers across when I use ServerSideEencryption and it works fine.

I was hoping and assumed that because the signed url includes the header information in the query string that it would just work. Which it does for sse. The moment I switch it to sse-c it errors out.

If I do have to send the headers for sse-c… how am I supposed to offer a link for people to click on our site? And why does it work for sse, but not sse-c?

Issue Analytics

State:
Created 8 years ago
Comments:35 (12 by maintainers)

Top GitHub Comments

1reaction

xpressivecodecommented, Dec 31, 2017

hey @Timer here is the OpenResty configuration we used for prototyping the solution. You need to use openresty, as it has functionality that isn’t available with nginx ootb.

error_log 			       logs/error.log;

events {
	worker_connections	   1024;
}

http {
    client_max_body_size            20M;
	proxy_headers_hash_bucket_size	1024;
	map $is_args $algorithm {
        default $arg_x-amz-server-side-encryption-customer-algorithm;
    }

    map $is_args $key {
        default $arg_x-amz-server-side-encryption-customer-key;
    }

    map $is_args $md5 {
        default $arg_x-amz-server-side-encryption-customer-key-md5;
    }

    map $is_args $ct {
        default $arg_content-type;
    }

    server {
	
        listen 8888;

	location /hc {
		return 200 'hello';		
	}

        location ~* ^/storage/(.*) {
            if ($request_method = OPTIONS ) {
			     add_header Access-Control-Allow-Origin "*";
			     add_header Access-Control-Allow-Methods "GET, OPTIONS, PUT";
			     add_header Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With, Cache-Control, Accept, Origin, X-Session-ID,Access-Control-Allow-Origin";
			     return 200;
		    }
		
            resolver                 8.8.8.8 valid=300s;
            resolver_timeout         10s;

            set_unescape_uri	     $sig $arg_signature;
            set_unescape_uri	     $ak $arg_awsAccessKeyId;

            set $ct                 'Content-Type=$ct';
            set $s3_bucket          'your-bucket.s3.amazonaws.com';

            set $aws_access_key     'AWSAccessKeyId=$ak';
            set $url_expires        'Expires=$arg_expires';
            set $url_signature      'Signature=$arg_signature';
            set $url_full           '$1?$aws_access_key&$url_expires&$url_signature&ct';

            set_unescape_uri	     $a $algorithm;
            set_unescape_uri	     $k $key;
            set_unescape_uri	     $m $md5;

            proxy_http_version       1.1;
            proxy_set_header         Host $s3_bucket;
            proxy_set_header         Authorization '';
            proxy_hide_header        x-amz-id-2;
            proxy_hide_header        x-amz-request-id;
            proxy_hide_header        Set-Cookie;
            proxy_ignore_headers     "Set-Cookie";
            proxy_buffering          off;
            proxy_intercept_errors   on;

            proxy_set_header         x-amz-server-side-encryption-customer-algorithm 	$a;
            proxy_set_header         x-amz-server-side-encryption-customer-key 		$k;
            proxy_set_header         x-amz-server-side-encryption-customer-key-md5 		$m;

            proxy_pass               https://$s3_bucket/$url_full;
        }
    }
}

0reactions

lock[bot]commented, Sep 29, 2019

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.

Top Results From Across the Web

Upload a file to Amazon S3 with presigned url + PUT request ...

I figured out how to upload with POST request(instead of PUT, it's a workaround solution) and here is how: For your brower:

S3 Signature Does Not Match Error When Using A Pre Signed ...

So I made my pre signed url using the AWS SDK: ... return the pre-signed url, then use this url to upload the...

Bug #23470: presigned URL for PUT with metadata fails ...

Pre-signed URLs for PUT without metadata works fine. Pre-signed URL for PUT with metadata gives SignatureDoesNotMatch. Happens for both v2 & v4 signature....

Presigned URLs · Cloudflare R2 docs

A presigned URL authorizes anyone with the URL to perform an action to the S3 compatibility endpoint for an R2 bucket.

S3 SignatureDoesNotMatch error when using presigned ...

The first load of the content will render correctly but subsequent load will fail as Drupal will append &itok=123456 to AWS S3 presigned...