-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pre-signed URL issues (generate_presigned_post and generate_presigned_url) #1982
Comments
FWIW I've also looked at #1644 (this comment helped) and #923. |
@pcraciunoiu - Thank you for your post. As per the documentation the response url doesn't include region. This is the expected url And for the second example when i run your code i am not getting any error with the latest version of boto3. Hope it helps ad let me know if you have any further questions. |
@swetashre but the URL always gets redirected, what's the point of generating it without the region? So you were able to run it with virtual and the file loads in your browser for the presigned URL? I am using the code above with defaults and I'm not sure why it's not working. Can you post a sample of what you get... I tried this a bunch of different times and was not able to get a URL that actually downloads the file for |
Also thank you for your prompt response. I really appreciate it! |
@pcraciunoiu - Thank you for your reply. Here is the code snippet with response from import boto3
s3 = boto3.client('s3')
url = s3.generate_presigned_url(
'get_object',
Params={
'Bucket': 'testbucket',
'Key': 'outfile.txt',
},
HttpMethod="GET",
) |
Yeah, looks like only v4 is supported for this bucket, in
|
If I do this instead, I get a different error:
And if I specify the region, then it works. So I may have stumbled upon a better option than doing path access. I'll try that out in the code path and see if it works. For the URL in the signature, it seems to me like there should be a way to have it include the region to avoid the redirect... |
OK, that worked. So it seems like for certain regions the region AND the config v4 need to both be specified. Otherwise the signed URLs don't work. Might need to update the docs for As far as the URL signature, I am doing that string replace, but I'm open to better options. I'm curious why you wouldn't want to include it in the signature URL though. |
Just wanted to follow up that this doesn't work again. I'm not sure what changed, but now I get:
Again, switching to the path style fixes the issue. So the diff is just: - config=Config(signature_version="s3v4"),
+ config=Config(s3={'addressing_style': 'path'}), |
@pcraciunoiu - Thanks for the feedback. Are you still getting the error ? There are certain regions which does not support signature version 2 and for that you have to use v4. Here is the link to documentation: It is possible that switching from virtual to path addressing style could fix pre-signed URLs signed using SigV4. For SigV4 the host is signed as part of the signature, which can cause problems for newly created buckets when virtual addressing style is being used. S3 will redirect to a different host for buckets that DNS haven't propagated for, which leads signature mismatch errors as the host is no longer correct. Are you still getting error when you specify both signature version and region ? Can you please provide the debug log ? |
@swetashre yes I got the error when I specify signature version and region. I wasn't able to reproduce it, so I'm not sure what's going on :) Maybe I'm crazy. |
@pcraciunoiu - Thanks for the reply. I am not able to reproduce your issue. It would have been very useful if we had gotten the debug log. Please make sure you are using correct region where the bucket exists and that region supports the specified signature version. At any way it is working fine for you now. |
@pcraciunoiu Thing is, s3v4 is going to be the only mechanism starting June 20th as s3v2 is being decommissioned. |
Thanks, not so relevant to the issue posted. I think the problem is caused by addressing_style sometimes, and specifying region and or signature v4 seems to fix the URL for |
@pcraciunoiu - Thanks for all the feedback. I assume this issue has been solved for you. So i am closing this. Please reopen if you have any questions. |
fwiw i am also seeing this issue. Until a newly created bucket's global DNS gets set up, presigned URLs generated with |
Does this work? s3 = boto_session.client("s3", endpoint_url=f"https://s3.{region}.amazonaws.com") |
@revmischa, I had a similar issue (I wanted virtual, regional URLs in my presigned URL), and used your setting but also needed to explicitly specify virtual paths in the config. import boto3
from botocore.client import Config
region = 'us-east-1'
s3 = boto_session.client(
's3',
endpoint_url=f'https://s3.{region}.amazonaws.com',
config=Config(s3={'addressing_style': 'virtual'})) |
Hi there,
I'm having two issues which I believe are related. I've already spent a few hours trying to figure this out and it looks like a bug. I finally stumbled on a solution that works, but it's not ideal.
Here is the setup:
Doesn't work
Results in
signature["url"] = "https://{bucket}.s3.amazonaws.com/"
Should instead be
"https://{bucket}.s3.{region}.amazonaws.com/"
Without region, there is a redirect on the frontend which breaks CORS. See also #421.
This URL always results in
SignatureDoesNotMatch
. Presumably also because it is missing the region, and it also gets redirected.For what it's worth, the region I'm testing with is 'us-east-2'
Works
This is not an acceptable path forward because AWS is retiring the path
addressing_style
.Remainder of the code the same.
Any help greatly appreciated! Thank you for your hard work maintaining this library.
The text was updated successfully, but these errors were encountered: