S3 Post Policy - invalid value for x-amz-checksum-sha256

I'm using S3 presigned post policies to upload files to an S3 bucket and I'm trying to make use of the x-amz-checksum-sha256 condition, but I can not figure out how to successfully post a file using x-amz-checksum-sha256. Whenever I try to post a file AWS returns a 400 with the message of Value for x-amz-checksum-sha256 header is invalid but I don't know what this means. In what way is the sha256 value I'm producing "invalid"?

Here's an example of how I'm trying to accomplish this. I'm using a standard file <input> element for file selection.

const fileBlob = new Blob([file])
const arrayBuffer = await fileBlob.arrayBuffer()
const fileUint8 = new Uint8Array(arrayBuffer)
const hashBuffer = await crypto.subtle.digest("SHA-256", fileUint8);
const hashArray = Array.from(new Uint8Array(hashBuffer)); // convert buffer to byte array
const sha256Checksum = hashArray
  .map((b) => b.toString(16).padStart(2, "0"))
  .join('');
const base64Checksum = btoa(sha256Checksum)

const postData = await backendAPICallToGetPresignedPost({base64Checksum})

const postForm = new FormData();
Object.keys(postData.fields).forEach((key) => {
  return postForm.append(key, postData.fields[key])
})
postForm.append('x-amz-checksum-algorithm', 'SHA256');
postForm.append('x-amz-checksum-sha256', base64Checksum);
postForm.append('file', file);

axios.post('S3-url', postForm)

And here is how I am created the presigned post. The base64 encoded checksum is passed to the server to use when creating the policy.

const aws = require('aws-sdk');

const s3 = new aws.S3({
    region: awsRegion,
    accessKeyId: s3AccessKeyId,
    secretAccessKey: s3SecretAccessKey,
});

return await s3.createPresignedPost({
    Bucket: 'bucket-name',
    Fields: {
        key: `${s3ProductImageFolder}/${brandName}/${fileName}`,
    },
    Conditions: [
        { 'x-amz-checksum-algorithm': 'SHA256' },
        { 'x-amz-checksum-sha256': base64Checksum },
    ],
});

FYI I'm using version 2.1424.0 of the javascript AWS SDK

I've confirmed that the sha256 value that I am generating with the above javascript is the same as what is generated by the sha256sum GNU utility. The test file that I am using generates the following sha256 hash: 1789f8b9f648498f5abcfe3c71b7fb4047143b431022d477d27a7acba64d2ca8

Topics

Storage

Relevant content

POST uploads to S3 bucket failing with http 405
rePost-User-9591919
asked a year ago
Limit IpAddress while uploading to aws s3 bucket using aws post policy
rePost-User-4020011
asked a year ago
Using CloudFront to upload files to S3 bucket using presign URL and custom domain
Roi
asked 7 months ago
Presigned POST File Submission Invalid JSON
ionizer
asked 6 years ago
What S3 bucket policy can I use to comply with the AWS Config rule s3-bucket-ssl-requests-only?
AWS OFFICIALUpdated 8 months ago
Why am I getting the error "Invalid principal in policy" when I try to update my Amazon S3 bucket policy?
AWS OFFICIALUpdated a year ago
How do I troubleshoot the error "You don't have permissions to edit bucket policy" when I try to modify a bucket policy in Amazon S3?
AWS OFFICIALUpdated a year ago
Why does an upload fail when I use the Amazon S3 console to upload a large file?
AWS OFFICIALUpdated 9 months ago
Why doesn't S3 respect the TLS settings in my IAM policy?
EXPERT
Brettski-AWS
published 2 years ago
Support Automation Workflow (SAW) Runbook: Upload EC2 Rescue log bundle from the target instance to the specified Amazon S3 bucket
EXPERT
Maya Karalic
published a year ago