3

I'm trying to generate a presigned URL for an S3 bucket on AWS to upload files to like this:

$ aws s3 presign s3://mybucket/somefolder/

Then I use that URL to upload a file:

$ curl "https://mybucket.s3.amazonaws.com/somefolder/?AWSAccessKeyId=***&Signature=***&Expires=***"  --upload-file "./file"

But then it prints out an XML error:

<?xml version="1.0" encoding="UTF-8"?>
<Error>
  <Code>SignatureDoesNotMatch</Code>
  <Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message>
  <AWSAccessKeyId>***********</AWSAccessKeyId>
  <StringToSign>PUT


    ************
    /mybucket/somefolder/</StringToSign>
  <SignatureProvided>**************</SignatureProvided>
  <StringToSignBytes>**************</StringToSignBytes>
  <RequestId>************</RequestId>
  <HostId>************</HostId>
</Error>

What am I doing wrong?

[UPDATE]

OK, so I have to specify the object name in the presigned URL. So I did but I'm still facing the same error message:

$ aws s3 presign s3://mybucket/someobject

And then:

$ curl "https://mybucket.s3.amazonaws.com/someobject?AWSAccessKeyId=***&Signature=***&Expires=***"  --upload-file "./file"

And I'll get the exact same error as before. To make sure that it's not a permission problem, I tested it like this:

$ aws s3 cp ./file s://mybucket/

And the file was copied! Any suggestions?

[UPDATE]

I even tested with an object which actually exists in the bucket and managed to successfully download it. But still I cannot write to the object, only read.

Mehran
  • 15,593
  • 27
  • 122
  • 221
  • 2
    You need to pre-sign a URL for the destination object itself, not the folder that the object is uploaded to. As an admin of the S3 bucket, *you* dictate what key the object is uploaded to; the uploading client does not. – jarmod Aug 24 '18 at 03:49

2 Answers2

11

It looks like cli command aws s3 presign is only for GetObject. Parameter 'get_object' is hardcoded in source code. (See line 671)

You can create presigned URL for PutObject using other SDK such as boto3. Make sure to set client method 'put_object'

yk125
  • 361
  • 3
  • 7
0

S3 signed urls are created on a per OBJECT basis and cannot be generated for a prefix (folder). If you want to upload some_file to some_folder you must generate a signed url for the whole object key:

 aws s3 presign s3://mybucket/some_folder/some_file

See this AWS documentation.

ninge
  • 1,592
  • 1
  • 20
  • 40