Aws-sdk-go: S3 with IAM on EC2 Error SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided.

Created on 14 Nov 2019  路  4Comments  路  Source: aws/aws-sdk-go

Please fill out the sections below to help us address your issue.

Version of AWS SDK for Go?

v1.20.16

Version of Go (go version)?

go version go1.11.4 darwin/amd64

What issue did you see?

SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your key and signing method.
status code: 403, request id: AA078EBC33644F37, host id: KJk9RGx4+chqrp6CqUSlwJbpJVyjGT9DOJuKN0j2dOGBprsCOmtlCwgX+tq2WPNxyMWcQ06hnWk=

Steps to reproduce

I have an EC2 environment with IAM enabled for S3 operation. I'm able to successfully upload file using aws cli command, but always getting error when using aws-sdk-go (it never success).

I didn't put any authentication code on the session initialization because AFAIK when there is no credentials provided the sdk will automatically detect the auth method.

Here is my code:

// called once on main() function
func createSession() {
   // ...

    s3UploadPath = config.GetString("upload assets to s3.bucket")
    s3Config := aws.NewConfig()
    s3Config.CredentialsChainVerboseErrors = aws.Bool(true)

    sess, err := session.NewSession(s3Config)
    if err != nil {
        log.Fatal("Error initializing s3 uploader. " + err.Error())
    }

    v, err := sess.Config.Credentials.Get()
    fmt.Printf("credentials: %#v \n", v)

    uploader = s3manager.NewUploader(sess)
}

// called whenever user upload file to certain endpoint
func UploadHandler(w ResponseWriter, r *Request) {
    // ...

    fmt.Println("uploading", filename, "to", s3UploadPath)
    res, err := uploader.Upload(&s3manager.UploadInput{
        Bucket: aws.String(s3UploadPath),
        Key:    aws.String(filename),
        Body:   f,
    })
    if err != nil {
        log.Fatal("error on upload. " + err.Error())
    }

    // ...
}

credentials: credentials.Value{AccessKeyID:"...", SecretAccessKey:"...", SessionToken:"...", ProviderName:"EC2RoleProvider"}

uploading sample.png to ec-scb-scv/assets

error on upload. SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your key and signing method.
status code: 403, request id: AA078EBC33644F37, host id: KJk9RGx4+chqrp6CqUSlwJbpJVyjGT9DOJuKN0j2dOGBprsCOmtlCwgX+tq2WPNxyMWcQ06hnWk=

However when I'm trying to upload the same file into the same bucket using the CLI, the result is success

image

guidance

Most helpful comment

Just came up against this yesterday. There are hundreds of these questions all over the web, but I haven't seen this fix suggested: my bucket name contained a slash / 馃う鈥嶁檪 (slashes get URL encoded and create problems)

If you're trying to nest a file under a bucket make sure structure is part of the key, not the bucket name

/foo/bar/baz.json -> bucket: foo, key: /bar/baz.json.

CLI upload appears to be more clever about this, splitting out the base dir from the rest.

All 4 comments

Hi @novalagung, thanks for reaching out about this. Unfortunately SignatureDoesNotMatch errors are difficult to troubleshoot since they can be caused by a wide variety of things, including (but not limited to):

  • A typo in hard-coded credentials (unlikely in this case since it looks like you're assuming a role for this call)
  • Including a non-UTF8 encoded string in the request
  • Including metadata with an empty value in the request
  • Including a metadata value with a trailing space in the request
  • The parameters are entered out of alphabetical order in the API call.
  • Not all parameters were included when calculating the signature.

If you can enable debug logging for your S3 Client and provide the output for the Upload request we should be able to better help determine why you're seeing this error.

Just came up against this yesterday. There are hundreds of these questions all over the web, but I haven't seen this fix suggested: my bucket name contained a slash / 馃う鈥嶁檪 (slashes get URL encoded and create problems)

If you're trying to nest a file under a bucket make sure structure is part of the key, not the bucket name

/foo/bar/baz.json -> bucket: foo, key: /bar/baz.json.

CLI upload appears to be more clever about this, splitting out the base dir from the rest.

@glibsm This did the trick. You are a life saver!

I encountered a different set of problem, i could never going with us-east-1, but when i changed to eu-central-1 it worked! What is the difference i am not able to figure out... this was using boto => django

Was this page helpful?
0 / 5 - 0 ratings