I keep on failing to use signed URLs for S3 objects residing in a bucket in the ap-east-1 (Hong Kong) AWS region.
Specifically, I first set the signature version to V4 (see https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version) like so:
aws configure set default.s3.signature_version s3v4
And then create a signed URL with this command:
aws s3 presign --region=ap-east-1 s3://<name of bucket in ap-east-1 region>/<object name>
When I test the resulting URL:
curl -i "https://<bucket name>.s3.amazonaws.com/<object name>?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=...%2Fap-east-1%2Fs3%2Faws4_request&X-Amz-Date=20190928T034534Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=..."
...I get an HTTP/400 response with the body set to:
<?xml version="1.0" encoding="UTF-8"?>
<Error>
<Code>IllegalLocationConstraintException</Code>
<Message>The ap-east-1 location constraint is incompatible for the region specific endpoint this request was sent to.
</Message>
<RequestId>...</RequestId>
<HostId>
Interestingly, when doing the same for an object in another bucket that resides in the us-west-2 (Oregon) AWS region, the resulting signed URL works fine.
Has anyone run into this problem? I don't quite know how to parse the error message, but I do wonder if I need to set the --endpoint-url
configuration setting and if so, to what?
Ideas anyone?
Thanks, Soeren