Aws-sdk-js: s3.getSignedUrl('putObject') requested signature does not match

Created on 20 Sep 2018 · 6Comments · Source: aws/aws-sdk-js

I'm currently attempting to getSignedUrl and PUT to it from the client. However, when I attempt to PUT it will return a 403 status code.

This is my back-end code:

const s3 = new AWS.S3({
  accessKeyId: keys.accessKeyId,
  secretAccessKey: keys.secretAccessKey
});

app.get('/api/upload', requireLogin, (req, res) => {
  let key = `${req.user.id}/${uuid()}.jpeg`
  s3.getSignedUrl('putObject', {
    Bucket: 'advanced-node-blog',
    ContentType: 'image/jpeg',
    Key: key
  },
  (err, url) => res.send({ key, url }));
});

On the front-end:

// presigned URL
const uploadConfig = await axios.get('/api/upload');

await axios.put(uploadConfig.data.url, file, {
  headers: {
    'Content-Type': file.type
  }
});

When I GET to the URL, I will receive this message:
The request signature we calculated does not match the signature you provided. Check your key and signing method.

I tried to just change key to something like testfile.jpeg or just file.txt, but I still get the same thing.

Any clues as to what I might be doing wrong?

Thank you in advance!

guidance

Source

SKEPDIMI

Most helpful comment

@SKEPDIMI

Can you try using the v4 Signature when constructing the client?

const s3 = new AWS.S3({
  accessKeyId: keys.accessKeyId,
  secretAccessKey: keys.secretAccessKey,
  signatureVersion: 'v4'
});

srchase on 21 Sep 2018

👍2 ❤1

All 6 comments

@SKEPDIMI

Can you try using the v4 Signature when constructing the client?

const s3 = new AWS.S3({
  accessKeyId: keys.accessKeyId,
  secretAccessKey: keys.secretAccessKey,
  signatureVersion: 'v4'
});

srchase on 21 Sep 2018

👍2 ❤1

Hi, @srchase

I have tried this aswell, same issue

const s3 = new AWS.S3({
  accessKeyId: keys.accessKeyId,
  secretAccessKey: keys.secretAccessKey,
  signatureVersion: 'v4',
  region: 'us-east-2'
});

SKEPDIMI on 21 Sep 2018

@SKEPDIMI

Here are a few things to check/try:

Have you checked the clock time? If that's off significantly, it will cause the signature to be invalid.
Log the headers on the axios request. Make sure those are what you're expecting.
Check your credentials.

srchase on 21 Sep 2018

@srchase

Sorry for being so thick on this, it's the first time I use AWS. What exactly is clock-time? How do I find out if it is correct?
I've checked the axios requests and they send the correct headers and the server receives them.
I've also checked my credentials, and changed them 2 times, still same issue...

EDIT

I have noticed a CORS error (preflight failed). Perhaps it has to do with the fact that my requests are being made from localhost:3000. I will try changing the CORS settings on the bucket to see if this fixes the issue.

SKEPDIMI on 22 Sep 2018

The issue had to do with CORS - my old CORS configuration only allowed for GET requests, so upon adding a new rule for PUT like so:

<CORSRule>
    <AllowedOrigin>http://localhost:3000</AllowedOrigin>
    <AllowedMethod>PUT</AllowedMethod>
    <MaxAgeSeconds>3000</MaxAgeSeconds>
    <AllowedHeader>*</AllowedHeader>
</CORSRule>

The issue was solved!
Thanks @srchase for helping me figure out what was wrong with the Axios request

SKEPDIMI on 22 Sep 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.