aws-sdk-java-v2: Presigned URL resolves in a SignatureDoesNotMatch

Describe the issue

Hi, I have functionalities in our web application to upload and download a certain configuration file (xml). The upload works. But we want to enforce the download by using a presigned URL that is valid for 5 minutes.

When using that url we receive a SignatureDoesNotMatch. Screenshot 2020-11-20 at 11 00 09

Steps to Reproduce

Code to upload a configuration file:

public Boolean uploadConfiguration(Part file) throws IOException {
        String bucketName = System.getenv("AWS_BUCKET");
        PutObjectRequest request = PutObjectRequest.builder()
                .bucket(bucketName)
                .key("BeFirstConfiguration.xml")
                .build();
        PutObjectResponse response = s3Client.putObject(request, RequestBody.fromBytes(file.getInputStream().readAllBytes()));
        return StringUtils.isNotEmpty(response.eTag());
    }

Code to receive a presigned URL:

String bucketName = System.getenv("AWS_BUCKET");

        GetObjectRequest getUrlRequest = GetObjectRequest.builder()
                .bucket(bucketName)
                .key("BeFirstConfiguration.xml")
                .build();
        GetObjectPresignRequest getObjectPresignRequest = GetObjectPresignRequest.builder()
                .getObjectRequest(getUrlRequest)
                .signatureDuration(Duration.ofMinutes(10))
                .build();

        PresignedGetObjectRequest request = s3Presigner.presignGetObject(getObjectPresignRequest);

        log.info("Generating pre-signed URL.");
        return request.url().toString();

JavaConfig configuration

public S3Configuration s3Configuration() {
        return S3Configuration.builder().build();
    }

    @Bean
    public S3Presigner s3Presigner() {
        return S3Presigner.builder()
                .region(Region.EU_WEST_1)
                .serviceConfiguration(s3Configuration())
                .build();
    }

    @Bean
    public S3Client s3Client() {
        return S3Client.create();
    }

Current Behavior

After using that presigned url we get an SignatureDoesNotMatch.

Your Environment

  • AWS Java SDK version used: 2.15.31
  • JDK version used: openjdk:11 (docker image based on openjdk:11-jre-slim)
  • Operating System and version: Amazon Linux

Any ideas or help pls? Been stuck here for a while now.

kind regards

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 20 (4 by maintainers)

Commits related to this issue

Most upvoted comments

hi @debora-ito I try to have a look this week and let you know. Thanks for this info!

kind regards

+1
TVDSC on Jan 6, 2021

Hmm, not sure whether we can help much. However there’s one thing I can think of:

Internally we use private VPC Endpoints for S3 (and DynamoDB). So maybe that’s conflicting. Can you specify which endpoint to use in your signing code?

For example with the AWS CLI that’s possible: aws s3 presign --endpoint-url https://s3.eu-west-1.amazonaws.com s3://MY_BUCKET_NAME/MY_FILE.pdf --region eu-west-1

+1
duboisph on Nov 23, 2020
Read more comments on GitHub
← aws-sdk-java-v2: Many concurrent async requests cause "NoSuchElementException: HttpStreamClientHandler#0-body-publisher"
aws-sdk-java-v2: Publishing order to Maven Central seems wrong →