0

I encounter a SignNotMatch when I generate a presigned url with boto3 with the code below:

session = Session(access_key, secret_key)

s3 = session.client('s3', endpoint_url=OSS_ENDPOINT, config=Config(signature_version='s3v4'))
url = s3.generate_presigned_url(
        ClientMethod='get_object',
        Params={
            'Bucket': bucket,
            'Key': key
            }
        )

And then parse the request and resign(use AWS Go SDK signer.Presign) it in our proxy, and I always get a not match error.

Then I open the debug mode in boto3 and add log in AWS Go SDK, and found that when they calculate Canonical Request they use different way:

Canonical Request:

HTTP Verb + '\n' +
Canonical URI + '\n' +
Canonical Query String + '\n' +
Signed Headers + '\n' +
"UNSIGNED-PAYLOAD"

In Go AWS SDK it will put X-Amz-Content-Sha256=UNSIGNED-PAYLOADin Canonical Query String by default while boto3 will not.

Is it supposed to or I use it in a wrong way?

qingtengmuniao
  • 1
  • I don't understand this part of the question: *And then parse the request and resign (use AWS Go SDK `signer.Presign`) it in our proxy, and I always get a not match error.* This seems to imply that neither Boto3 nor Go is working as expected. – Michael - sqlbot Jun 07 '18 at 14:22
  • Does the Boto3 signature include `X-Amz-Credential`? If not, it is generating a V2 signature, which doesn't use the content sha. I don't think this is the issue, because your config appears to explicitly enable V4. – Michael - sqlbot Jun 07 '18 at 14:27
  • First, this is a v4 signature. Second, it means boto3 and aws-sdk-go use different way to presign. I open a issue in aws-sdk-go: https://github.com/aws/aws-sdk-go/issues/1974#issuecomment-395518188 – qingtengmuniao Jun 08 '18 at 02:22

0 Answers0