Hitting Presigned URL and get access denied exception

0

Hi there,

In our code base, we are aiming to render the S3 GetObject SignedURL for the client, so the client can download the object by clicking the url in the website .

Here is the v2 code:

return s3Client.getSignedUrlPromise('getObject', {
	       ...UDMSController.parseS3URI(s3URI),
	       Expires: config.udms.s3.signedURLTTL,
	     });

Here is the upgraded V3 code

const getObjectParams: GetObjectCommandInput = { Bucket: parsedS3URI.host, Key: parsedS3URI.pathname.substr(1) };
const command = new GetObjectCommand(getObjectParams);
return await getSignedUrl(s3Client, command, {expiresIn: config.udms.s3.signedURLTTL});

The IAM role we are assuming is the external account S3 permission role, here is the their S3 permission

Enter image description here

And the client hit the URL we render on the website, they get accessDenied exception.

Here is the failed request

https://ring-data-requests-dev.s3.us-east-1.amazonaws.com/gdpr/exports/user-46364072/10001357/datarequest.zip?

X-Amz-Algorithm=AWS4-HMAC-SHA256&

X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&

X-Amz-Credential=ASIA5JGQ37JDTMSI4DYI%2F20231204%2Fus-east-1%2Fs3%2Faws4_request&

X-Amz-Date=20231204T180657Z&

X-Amz-Expires=600&

X-Amz-Security-Token=IQoJb3JpZ2luX2VjEPv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIAc91WgOnR7Ry7tFwAN3bxAcwnZU3ehq2ENWm20MmevEAiEAhABAuMGiuVdcP6F7L%2BCqltrVh8%2FibtD2Z8uHa%2Ff2sR4qogIIYxADGgw5MTMxMTg1OTE1NTkiDGl7KMFE0%2BweJIPx4ir%2FAaO6C2bV7YLDAOR8EeYLwWA3jErDB9alj77gDoBNSbow6EMla3rLwXD2DbGN6k2tc6L8E2fGbbYenVMwGYt1Er%2Bf1pmXknqMgkhl7XpE3vq8HIIA7gTq%2BzKnfkLkILzJ2KcV%2BydA4%2Fzf7OphnHUgxCs30aAnG7cG1V3v2QVyWAd13%2Bx0evHww2GnZZeCcs9oAb4iZnmgg96kvfGOejGprshhQh83BB299T4336LOmpcByFz5fDxecmcOzMd%2Bmb4cqCuDDmMCsIhJ9nzve5hmZVv3hNuOonum6ROPHEzvAw17qMK7hhUL3Qn0vQjg6m6VIfbVAU1zXJg2AXROg6br7TDBqrirBjqdAQKuiFH5cVTfh2G1dLDtJkVQr5%2F2zCuBY20VQ3%2FTuYNtecpL%2FV%2BzDUIJiEcjgVboeMG%2F9%2BLbjwgrKBI7G0h0%2BqQ%2F4C0Ew9q4mPQmkcEUFahKMPLVU0w9sLJE07kfKfa8o6WlOoE4HM1WLm0SnEUswLy6F1M%2BKVqB%2FDP3J8xvIxO2nB0yhEkwTctP1%2BtBBSfG4ynAAvJgLC8e00dgzwc%3D&

X-Amz-Signature=08870a418d16e84832b20b44b1a9b7bc47dd0cc8193c4084831a99c7668a5800&

X-Amz-SignedHeaders=host&

x-id=GetObject

The sample S3 path is:

s3://ring-data-requests-dev/gdpr/exports/user-82032267/10001355/datarequests.zip

We can get the URL and S3Path without error in our side, the issue is client keep getting accessDenied.

Does anyone know for this kind of upgrade, will the S3 role need extra permission? Or in our code base that we are missing any setup?

My assumption is the new SDK version let the request X-Amz-Content-Sha256 be assigned as UNSIGNED-PAYLOAD and the bucket might reject reqeust with UNSIGNED-PAYLOAD content. Appreciate for any helps and hints here.

Thanks!

質問済み 10ヶ月前397ビュー
2回答
0
承認された回答

I found the issue after reviewing the code, there was two IAM roles I need to assume. I missed the second one. I use role A's credentials to call get Object, which lets S3 throw the ACE.

回答済み 10ヶ月前
0

hey, IAM role might not be solution for this as per my understanding. As you are accessing the S3 bucket contents using the public URL, you bucket should have Public access to all of it's objects. If you are able to see Bucket and objects not public for you bucket in S3 dashboard, definitely this could be causing the issue. Enter image description here

profile picture
回答済み 10ヶ月前
  • Thanks for the response, the source S3 does allow public access. I found the issue after reviewing the code, there was two IAM roles I need to assume. I missed the second one. I use role A's credentials to call get Object, which lets S3 throw the ACE. Thanks again!

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ