Custom Headers in Presigned URLs Construction
See original GitHub issuePython: 2.7.5 Boto: 2.48.0 Boto3: 1.4.7 Botocore: 1.7.19
Query String Request Authentication Alternative specifies the format of the StringToSign that might be followed to create a signature of the pre-signed url. Namely,
Signature = URL-Encode( Base64( HMAC-SHA1( YourSecretAccessKeyID, UTF-8-Encoding-Of( StringToSign ) ) ) );
StringToSign = HTTP-VERB + "\n" +
Content-MD5 + "\n" +
Content-Type + "\n" +
Expires + "\n" +
CanonicalizedAmzHeaders +
CanonicalizedResource;
The use case is to be able to provide a custom header like Content-MD5 to participate in signature construction.
This is perfectly fine with the boto library
import boto
## [s3]
## use-sigv4 = True
boto.config.load_from_path('.boto')
conn = boto.connect_s3(profile_name = "_profile_name_", host = "s3.amazonaws.com")
presigned_url = conn.generate_url(
expires_in=3600,
method='GET',
bucket='_bucket_name_',
key='_key_',
headers={'Content-MD5': 'c3993a7637ae5d90e70106050ef6926f'}
)
Seems like this same feature cannot be achieved with boto3.
Can this be confirmed and what is the reason behind degrading this feature from the new version of the library? May it be expected to return in the future versions?
Issue Analytics
- State:
- Created 6 years ago
- Reactions:3
- Comments:11 (1 by maintainers)
Top Results From Across the Web
Using presigned URLs - Amazon Simple Storage Service
Use a presigned URL to share or upload objects in Amazon S3 without requiring AWS security credentials or permissions.
Read more >Dynamically set content-type headers for S3 presigned urls ...
A quick dev tip for working with S3 and fetch POST requests.
Read more >created s3 presigned url (put) with custom headers with boto3
It is a NO and is still classified as a feature request as of Oct 2017. https://github.com/boto/boto3/issues/1294. Hope it helps.
Read more >Getting Pre-Signed URLs | Tencent Cloud
Request headers that need to be signed in a pre-signed URL. The pre-signed URL itself does not include request headers, but request headers...
Read more >Working with S3 pre-signed URLs - Altostra
For example, if you generate a pre-signed URL with the Content-Type header, then you must also provide this header when you access the...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I would rather we do keep separate flavors of the issue described here. I specifically stressed out the possibility to have the signature be customized in terms of adding additional components that participate in the process.
Content-MD5 being described as “meaningless” in the GET requests does not disallow it to be present. After all, empty value still gives you a hash albeit deterministic.
The use case described just brings up some additional custom contract to the process. If say Alice and Bob decide to include the custom header in the process of signing url requests, than Charlie being not a part of that contract will have an additional step to be able to get a pre-signed url working for him.
There are lots of scenarios that might be exampled here, without stressing out a specific header.
In the meantime, other SDKs like AWS Java SDK and a “hand-coded” boto library does support that feature without violating any strict contract from the AWS Signing Interface.
see also https://github.com/boto/boto3/discussions/3342