aws-sdk-java-v2: Presigned URL resolves in a SignatureDoesNotMatch
Describe the issue
Hi, I have functionalities in our web application to upload and download a certain configuration file (xml). The upload works. But we want to enforce the download by using a presigned URL that is valid for 5 minutes.
When using that url we receive a SignatureDoesNotMatch.
Steps to Reproduce
Code to upload a configuration file:
public Boolean uploadConfiguration(Part file) throws IOException {
String bucketName = System.getenv("AWS_BUCKET");
PutObjectRequest request = PutObjectRequest.builder()
.bucket(bucketName)
.key("BeFirstConfiguration.xml")
.build();
PutObjectResponse response = s3Client.putObject(request, RequestBody.fromBytes(file.getInputStream().readAllBytes()));
return StringUtils.isNotEmpty(response.eTag());
}
Code to receive a presigned URL:
String bucketName = System.getenv("AWS_BUCKET");
GetObjectRequest getUrlRequest = GetObjectRequest.builder()
.bucket(bucketName)
.key("BeFirstConfiguration.xml")
.build();
GetObjectPresignRequest getObjectPresignRequest = GetObjectPresignRequest.builder()
.getObjectRequest(getUrlRequest)
.signatureDuration(Duration.ofMinutes(10))
.build();
PresignedGetObjectRequest request = s3Presigner.presignGetObject(getObjectPresignRequest);
log.info("Generating pre-signed URL.");
return request.url().toString();
JavaConfig configuration
public S3Configuration s3Configuration() {
return S3Configuration.builder().build();
}
@Bean
public S3Presigner s3Presigner() {
return S3Presigner.builder()
.region(Region.EU_WEST_1)
.serviceConfiguration(s3Configuration())
.build();
}
@Bean
public S3Client s3Client() {
return S3Client.create();
}
Current Behavior
After using that presigned url we get an SignatureDoesNotMatch.
Your Environment
- AWS Java SDK version used: 2.15.31
- JDK version used: openjdk:11 (docker image based on openjdk:11-jre-slim)
- Operating System and version: Amazon Linux
Any ideas or help pls? Been stuck here for a while now.
kind regards
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 20 (4 by maintainers)
Commits related to this issue
- Merge pull request #2154 from aws/staging/531bec79-3529-4b44-b7a1-f6feb1ded95e Pull request: release <- staging/531bec79-3529-4b44-b7a1-f6feb1ded95e — committed to aws/aws-sdk-java-v2 by aws-sdk-java-automation 2 years ago
hi @debora-ito I try to have a look this week and let you know. Thanks for this info!
kind regards
Hmm, not sure whether we can help much. However there’s one thing I can think of:
Internally we use private VPC Endpoints for S3 (and DynamoDB). So maybe that’s conflicting. Can you specify which endpoint to use in your signing code?
For example with the AWS CLI that’s possible:
aws s3 presign --endpoint-url https://s3.eu-west-1.amazonaws.com s3://MY_BUCKET_NAME/MY_FILE.pdf --region eu-west-1