Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Pre-signed URL issues (generate_presigned_post and generate_presigned_url)

See original GitHub issue

Hi there,

I’m having two issues which I believe are related. I’ve already spent a few hours trying to figure this out and it looks like a bug. I finally stumbled on a solution that works, but it’s not ideal.

Here is the setup:

Doesn’t work

s3 = boto3.client(
    "s3",
    aws_access_key_id=self.aws_access_key_id,
    aws_secret_access_key=self.aws_secret_access_key,
)
signature = s3.generate_presigned_post(
    Bucket=bucket,
    Key=key,
    Fields={"acl": "private", "Content-Type": file_type},
    Conditions=[{"acl": "private"}, {"Content-Type": file_type}],
    ExpiresIn=expires_in,
)

Results in signature["url"] = "https://{bucket}.s3.amazonaws.com/" Should instead be "https://{bucket}.s3.{region}.amazonaws.com/"

Without region, there is a redirect on the frontend which breaks CORS. See also #421.

url = s3.generate_presigned_url(
    'get_object',
    Params={
        'Bucket': bucket,
        'Key': key,
    },
    HttpMethod="GET",
)

This URL always results in SignatureDoesNotMatch. Presumably also because it is missing the region, and it also gets redirected.

For what it’s worth, the region I’m testing with is ‘us-east-2’

Works

# This needs to be changed for the frontend to upload
signature["url"] = f"https://{self._bucket}.s3.{self._region}.amazonaws.com/"

# This client init config makes the signature work for download.
s3 = boto3.client(
    "s3",
    "us-east-2",  # Not specifying this breaks.
    config=Config(s3={'addressing_style': 'path'})
    aws_access_key_id=self.aws_access_key_id,
    aws_secret_access_key=self.aws_secret_access_key,
)

This is not an acceptable path forward because AWS is retiring the path addressing_style.

Remainder of the code the same.

Any help greatly appreciated! Thank you for your hard work maintaining this library.

Issue Analytics

State:
Created 4 years ago
Reactions:4
Comments:18 (5 by maintainers)

Top GitHub Comments

10reactions

pcraciunoiucommented, Jun 6, 2019

Just wanted to follow up that this doesn’t work again. I’m not sure what changed, but now I get:

The request signature we calculated does not match the signature you provided. Check your key and signing method.

Again, switching to the path style fixes the issue. So the diff is just:

-                config=Config(signature_version="s3v4"),
+                config=Config(s3={'addressing_style': 'path'}),

9reactions

getup8commented, Nov 28, 2019

@revmischa, I had a similar issue (I wanted virtual, regional URLs in my presigned URL), and used your setting but also needed to explicitly specify virtual paths in the config.

import boto3
from botocore.client import Config

region = 'us-east-1'

s3 = boto_session.client(
    's3',
    endpoint_url=f'https://s3.{region}.amazonaws.com',
    config=Config(s3={'addressing_style': 'virtual'}))