aws s3 pre-signed URL

[MilanDasek]

Hi,

we have a problem with sending pre-signed URL. This is our request:

PUT request for
https://bucket.s3-eu-west-1.amazonaws.com/id1/id2/id3?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIA..../20190702/eu-west-1/s3/aws4_request&X-Amz-Date=20190702T101920Z&X-Amz-Expires=86400&X-Amz-SignedHeaders=host&X-Amz-Signature=aws_signature

but we receive an error:

InvalidAccessKeyId
<Message>The AWS Access Key Id you provided does not exist in our records.</Message><AWSAccessKeyId>ASIA.....

ASIA... is session (temporary) access key. I have found we need to add Session Token to the request, but we don't have it right (kiam has this token for this call)?

Also when I call aws sts get-session-token from within the POD, I get an error An error occurred (AccessDenied) when calling the GetSessionToken operation: Cannot call GetSessionToken with session credentials

We use JAVA SDK and InstanceProfileCredentialsProvider for getting credentials inside the POD.

Can you please advise?

[pingles]

The credentials Kiam issues already include a session token, the structure that's returned is set in https://github.com/uswitch/kiam/blob/master/pkg/aws/sts/credentials.go#L20.

You can curl http://169.254.169.254/latest/meta-data/iam/security-credentials/my-role-here from your Pod and you should see the JSON data with the credentials and session token.