Presigned url not creating a valid URL for `af-south-1`
See original GitHub issueDescribe the bug Presigned url does not create a url for the region_name specified
Steps to reproduce
Its worth noting the code I am working on has its only mechanism for storing secrets, so they are retrieved as the variables AWS_ACCESS_KEY_ID
, AWS_SECRET_ACCESS_KEY
, and AWS_STORAGE_BUCKET_NAME
.
- Create a bucket in the region
af-south-1
- Place a file in it.
- Try generate a presigned URL with the following code:
- I only specify the region_name again when creating the resouce because its not working:
import boto3
session = boto3.Session(
aws_access_key_id=AWS_ACCESS_KEY_ID,
aws_secret_access_key=AWS_SECRET_ACCESS_KEY,
region_name='af-south-1')
print(session.region_name) # prints af-south-1
resource = session.resource('s3', region_name='af-south-1')
response = resource.meta.client.generate_presigned_url(
'get_object',
Params={'Bucket': AWS_STORAGE_BUCKET_NAME, 'Key': TEST_FILE_NAME},
ExpiresIn=3600,
)
print(response)
- It will generate a url like:
https://bucket-name.s3.amazonaws.com/test1.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA32EU3DKFB3ACLEUV%2F20210928%2Faf-south-1%2Fs3%2Faws4_request&X-Amz-Date=20210928T130419Z&X-Amz-SignedHeaders=host&X-Amz-Expires=1800&X-Amz-Signature=0b684c8f423c9846cac3d437e3444972e2ead4f58ea967bc50c4942534aacf01
Which if tried gives an error:
<Error>
<Message>
<Code>IllegalLocationConstraintException</Code>
The af-south-1 location constraint is incompatible for the region specific endpoint this request was sent to.
</Message>
<RequestId>PJJQ0T7PAQHWQK5S</RequestId>
<HostId>
LmcUnFY3JJSd03OMzsGmxYO/tvl/PpYrEO6TtVI80AJiWHPrpge20gllm+RUkKC3ejuGwy8ZpG0=
</HostId>
</Error>
Expected behavior
A url more like af-south-1.amazonaws.com
Related to #2098, however I set the region name as shown above.
Issue Analytics
- State:
- Created 2 years ago
- Comments:5 (2 by maintainers)
Top Results From Across the Web
Using presigned URLs - Amazon Simple Storage Service
Use a presigned URL to share or upload objects in Amazon S3 without requiring AWS ... Anyone with valid security credentials can create...
Read more >Cannot create a presigned Url when I give the following IAM ...
So the beasntalk which my code in running on needs access to be able to get the image from the bucket and creates...
Read more >Presigned URLs — Boto3 Docs 1.26.33 documentation - AWS
A presigned URL is generated by an AWS user who has access to the object. The generated URL is then given to the...
Read more >Presigned URLs · Cloudflare R2 docs
If the application making a presigned URL request to the central application leaks that URL, but the central application does not have its ......
Read more >Securing your Amazon AWS S3 presigned URLs, tips and tricks
This is the result of my experience with S3 buckets, not an absolute truth. ... If your service is generating a presigned URL...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
Possible workaround without hardcoding the URL structure:
I know, it is not nice, the fix in boto3 would be much better, but it works and no hardcoding is needed.
Another workaround is to use an S3 Access Point in place of the bucket name.
For example, let’s assume you have a bucket named
bucketname
inaf-south-1
and create an access point namedbucketname-ap
for the bucket. You can then find the access point’s ARN from the AWS Console or using the s3-controllist_access_points
API and use it in place of the bucket name:This will produce a URL in the correct regional format:
In fact, you don’t have to specify the
region_name
during client creation because boto3 will use the region name from the access point ARN.That said, I agree that a fix in boto3 would be preferable to any workarounds. Further investigation is needed to understand exactly when the current behavior does not work to ensure that any change we make does not also modify currently working inputs.