Aws-cli: Error SignatureDoesNotMatch when I try to use aws s3 presign with aws CLI

Created on 5 Feb 2020  路  6Comments  路  Source: aws/aws-cli

I checked this issue https://github.com/aws/aws-cli/issues/4658 but it seems there was no real solution.

I just created a new bucket, having no explicit bucket policy in place and try to generate a s3 presign URL to download files from it.

I also tried to use
aws configure set default.s3.signature_version s3v4

and then create the presign url
aws s3 presign s3://MY_BUCKET_NAME/MY_FILE.pdf --region eu-central-1

Which creates this kind of URL (I replacd accessKeyId with some X):
https://MY_BUCKET_NAME.s3.amazonaws.com/MY_FILE.pdf?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=XXXXXXXXXXXX%2F20200205%2Feu-central-1%2Fs3%2Faws4_request&X-Amz-Date=20200205T151230Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=...

I get this error when trying to use the URL in the browser to download the file:

The request signature we calculated does not match the signature you provided. Check your key and signing method.

The default profile uses AccessKeys belonging to an user with AdministratorRole. No further configuration on the blank bucket was done.

guidance response-requested
Source
picture goosefraba
👍2

Most helpful comment

Hi @goosefraba and @KangoV ,
Can you try adding the endpoint to the presign command and tell me if it works for you?
aws s3 presign --endpoint-url https://s3.eu-central-1.amazonaws.com s3://MY_BUCKET_NAME/MY_FILE.pdf --region eu-central-1

picture KaibaLopez on 10 Feb 2020
👍5

All 6 comments

Hi @goosefraba,
Quick questions here,

  • did you get the same error before and after doing the configure command?
  • how long did wait from generating the url and using it?

Also, just to make sure it's unrelated to your permissions, can you create the object from cli and try that?

aws s3api create-bucket --bucket MY_BUCKET_NAME --create-bucket-configuration LocationConstraint=eu-central-1
aws s3api put-object --bucket MY_BUCKET_NAME --key MY_FILE.pdf --body MY_FILE.pdf
aws s3 presign s3://MY_BUCKET_NAME/MY_FILE.pdf --region eu-central-1
KaibaLopez picture KaibaLopez on 7 Feb 2020

Hey there!
Yes, I did get the same error before and after setting the config.

I waited some seconds, maybe 10 or so. But even a minute later it occurred the same error.

goosefraba picture goosefraba on 7 Feb 2020

A few of us are having the exact same problem. 

darren@machine ~ $ aws --version
aws-cli/1.17.13 Python/3.7.5 Linux/5.3.0-29-generic botocore/1.14.13

I've tried the versions installed with snap and apt and get the same error.

KangoV picture KangoV on 10 Feb 2020

Hi @goosefraba and @KangoV ,
Can you try adding the endpoint to the presign command and tell me if it works for you?
aws s3 presign --endpoint-url https://s3.eu-central-1.amazonaws.com s3://MY_BUCKET_NAME/MY_FILE.pdf --region eu-central-1

KaibaLopez picture KaibaLopez on 10 Feb 2020
👍5

Yes that works for me, thanks. @KaibaLopez! 馃憦
As this is not obvious, is there a chance to fix this behaviour?

goosefraba picture goosefraba on 11 Feb 2020

I'm not sure but I'll look into it, at least maybe add documentation on the extra requirement.
For now I'll close the issue as solved, thanks for pointing it out.

KaibaLopez picture KaibaLopez on 11 Feb 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

matt-sexton picture matt-sexton  路  3Comments
maanbsat picture maanbsat  路  3Comments
975204 picture 975204  路  3Comments
kangman picture kangman  路  3Comments
braddr picture braddr  路  3Comments