boto3 icon indicating copy to clipboard operation
boto3 copied to clipboard

Published 20 hours ago verified publisher icon boto

`virtual` addressing_style not working with ap-south-1 (`path` working though)

Open jerinpetergeorge opened this issue 1 year ago • 2 comments

Describe the bug

I get 403 while accessing a pre-signed URL generated using virtual addressing style. Even though if I change the type to path, the generated URL will work without any issues.

Expected Behavior

User must be able to access the signed URL without any issues (without 403)

Current Behavior

Generated URL raising a 403 error

<Error>
<Code>SignatureDoesNotMatch</Code>
<Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message>
<AWSAccessKeyId>AKIA52OCN2VBLVRWAARQ</AWSAccessKeyId>
<StringToSign>AWS4-HMAC-SHA256 20230925T061655Z 20230925/ap-south-1/s3/aws4_request e55ffbec2d2b08061a69d7d337ab96326a73fa3b48b9000e1030130eb6d209b3</StringToSign>
<SignatureProvided>26eb22997036dc86e50e861d72e6ccc367432a27d492dd7523ac64ae97b74d1c</SignatureProvided>
<StringToSignBytes>41 57 53 34 2d 48 4d 41 43 2d 53 48 41 32 35 36 0a 32 30 32 33 30 39 32 35 54 30 36 31 36 35 35 5a 0a 32 30 32 33 30 39 32 35 2f 61 70 2d 73 6f 75 74 68 2d 31 2f 73 33 2f 61 77 73 34 5f 72 65 71 75 65 73 74 0a 65 35 35 66 66 62 65 63 32 64 32 62 30 38 30 36 31 61 36 39 64 37 64 33 33 37 61 62 39 36 33 32 36 61 37 33 66 61 33 62 34 38 62 39 30 30 30 65 31 30 33 30 31 33 30 65 62 36 64 32 30 39 62 33</StringToSignBytes>
<CanonicalRequest>GET /expense-files/payment/user-1/709-test-file.txt X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIA52OCN2VBLVRWAARQ%2F20230925%2Fap-south-1%2Fs3%2Faws4_request&X-Amz-Date=20230925T061655Z&X-Amz-Expires=10&X-Amz-SignedHeaders=host host:dj-aio.s3.ap-south-1.amazonaws.com host UNSIGNED-PAYLOAD</CanonicalRequest>
<CanonicalRequestBytes>47 45 54 0a 2f 65 78 70 65 6e 73 65 2d 66 69 6c 65 73 2f 70 61 79 6d 65 6e 74 2f 75 73 65 72 2d 31 2f 37 30 39 2d 74 65 73 74 2d 66 69 6c 65 2e 74 78 74 0a 58 2d 41 6d 7a 2d 41 6c 67 6f 72 69 74 68 6d 3d 41 57 53 34 2d 48 4d 41 43 2d 53 48 41 32 35 36 26 58 2d 41 6d 7a 2d 43 72 65 64 65 6e 74 69 61 6c 3d 41 4b 49 41 35 32 4f 43 4e 32 56 42 4c 56 52 57 41 41 52 51 25 32 46 32 30 32 33 30 39 32 35 25 32 46 61 70 2d 73 6f 75 74 68 2d 31 25 32 46 73 33 25 32 46 61 77 73 34 5f 72 65 71 75 65 73 74 26 58 2d 41 6d 7a 2d 44 61 74 65 3d 32 30 32 33 30 39 32 35 54 30 36 31 36 35 35 5a 26 58 2d 41 6d 7a 2d 45 78 70 69 72 65 73 3d 31 30 26 58 2d 41 6d 7a 2d 53 69 67 6e 65 64 48 65 61 64 65 72 73 3d 68 6f 73 74 0a 68 6f 73 74 3a 64 6a 2d 61 69 6f 2e 73 33 2e 61 70 2d 73 6f 75 74 68 2d 31 2e 61 6d 61 7a 6f 6e 61 77 73 2e 63 6f 6d 0a 0a 68 6f 73 74 0a 55 4e 53 49 47 4e 45 44 2d 50 41 59 4c 4f 41 44</CanonicalRequestBytes>
<RequestId>MS80N0E710CFA222</RequestId>
<HostId>lt33+zwrcHKWLPzb9EJbgZrIM2bClGAN7pElSpHQXlOQagxisem7LSsqs8wDL0airUp3fj7sJqA=</HostId>
</Error>

Reproduction Steps

import boto3
from botocore.config import Config

# Constants
addressing_style = "virtual"
region = "ap-south-1"
aws_access_key_id = "AKIA52OCN2VBLVRWAARQ"
aws_secret_access_key = "aws_secret_access_key"
bucket_name = "dj-aio"
file_name = "expense-files/payment/user-1/709-test-file.txt"

# Create a client
config = Config(s3={"addressing_style": addressing_style}, signature_version="s3v4")
s3_client = boto3.client(
    "s3",
    region_name=region,
    aws_access_key_id=aws_access_key_id,
    aws_secret_access_key=aws_secret_access_key,
    config=config,
)

# Generate the URL to get 'key-name' from 'bucket-name'
signed_url = s3_client.generate_presigned_url(
    "get_object",
    Params={"Bucket": bucket_name, "Key": file_name},
    ExpiresIn=10,
)
print(signed_url)

Change the value of addressing_style to path will generate working URL, whereas virtual won't

Possible Solution

No response

Additional Information/Context

The issue only affects newly created buckets. Existing buckets, which were created months ago, don't have any issues.

SDK version used

1.28.53

Environment details (OS name and version, etc.)

Linux

jerinpetergeorge avatar Sep 25 '23 06:09 jerinpetergeorge

Does this work properly in other SDKs (e.g. the Java SDK)?

indrora avatar Sep 25 '23 18:09 indrora

TBH, I don't have much experience in other languages, but I'll try

jerinpetergeorge avatar Sep 25 '23 18:09 jerinpetergeorge

Is there any update on this issue? The Signature Does Not Match error can be caused by a few different things, here is a related troubleshooting guide: https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-troubleshooting.html#tshoot-signature-does-not-match

tim-finnigan avatar Jul 31 '24 20:07 tim-finnigan

Greetings! It looks like this issue hasn’t been active in longer than five days. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.

github-actions[bot] avatar Aug 11 '24 00:08 github-actions[bot]