By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Error 403 using GetObjectAttributes or GetObjectMetadata

0

Hi, I'm using nuget packages AWSSDK.Core and AWSSDK.S3 in .net for integrating S3 in my application. Until version 3.7.106.45 of AWSSDK.Core I can use this two pieces of code to verify the existence of a resource in S3:

IAmazonS3 client = new AmazonS3Client(); /Verification using GetObjectMetadata/ GetObjectMetadataRequest metaDataRequest = new GetObjectMetadataRequest() { BucketName = bucket, Key = fileName, VersionId = null, }; var responseObjectMetadata = client.GetObjectMetadata(metaDataRequest);

/Verification using GetObjectAttributes/ var request = new GetObjectAttributesRequest() { BucketName = bucket, Key = fileName, VersionId = null, ObjectAttributes = new List<ObjectAttributes> { new ObjectAttributes("ObjectSize") }, }; var response = client.GetObjectAttributes(request);

From version 3.7.107 I get the following exceptions using the above code: /Verification using GetObjectMetadata/ Amazon.S3.AmazonS3Exception: 'Error making request with Error Code Forbidden and Http Status Code Forbidden. No further error information was returned by the service.' /Verification using GetObjectAttributes/ Amazon.S3.AmazonS3Exception: 'The request signature we calculated does not match the signature you provided. Check your key and signing method.'

I've check the documentation but everything seems fine regarding permissions: https://docs.aws.amazon.com/sdkfornet/v3/apidocs/items/S3/MS3GetObjectAttributesGetObjectAttributesRequest.html

We use a general purpose bucket with no versioning and the used credentials have these permissions:

"s3:DeleteObjectTagging", "s3:ListBucketMultipartUploads", "s3:GetBucketTagging", "s3:DeleteObjectVersion", "s3:ReplicateTags", "s3:RestoreObject", "s3:PutObjectVersionTagging", "s3:ListBucket", "s3:ReplicateObject", "s3:PutObject", "s3:GetObjectAcl", "s3:GetObject", "s3:AbortMultipartUpload", "s3:GetObjectVersionAcl", "s3:GetObjectTagging", "s3:PutObjectTagging", "s3:DeleteObject", "s3:GetBucketLocation", "s3:PutObjectAcl", "s3:ReplicateDelete", "s3:GetObjectVersion" "s3:GetObjectAttributes"

We already tried both the standard call and the async call but the exceptions raised are the same.

Thank you in advance for the info you can provide to help me resolve this issue.

Topics
Storage.NET on AWS
Tags
Amazon Simple Storage Service.NET on AWS
Language
English
Giovanni Nalesso
asked 4 months ago311 views
2 Answers
0
Accepted Answer

A change was made in Core 3.7.107.0

A side-effect of this change was that before, it was possible to include a path as part of "BucketName", and get a success, but this no longer works. It was never intended for "BucketName" to support inputs other than the Bucket itself. It's not possible to tell from your example above if you might be encountering this, but I'd suggest investigating as that's the primary change for Core 3.7.107.0.

The error you received for GetObjectAttributes, "The request signature we calculated does not match the signature you provided. Check your key and signing method." indicates that the authorization header is malformed.

GetObjectMetadata might be the same root cause, but with a less specific error message. GetObjectMetadata calls the S3 API HeadObject, whereas GetObjectAttributes calls the S3 API GetObjectAttributes. The key difference here, is that HeadObject does not have a response body, so detailed error messages are not part of the response, only HTTP header codes like 403.

There are multiple possible causes of invalid request signature, but the one that would apply to the above would be if the Canonical URI did not match what was in the request or the URI encoding was different.

Since I'm not sure that's the cause of your error, I'll mention another common cause is signing a request for one AWS region, but sending the request to another AWS region. Usually this can be resolved by explicitly stating the region for a bucket.

For reference see the AWS SigV4 signing method, and see it includes the target region in the "Scope" signed into the signature, as well as the previously mentioned CanonicalURI and specific URIEncode() specification.

profile pictureAWS
AWS-User-5738042
answered 4 months ago
  • Giovanni Nalesso
    4 months ago

    Actually I used an additional path in the bucket name, but I tried to move it on the key and the errors was still the same. Wheree didi I need to specify the path then? Thank you for your answer!

  • Giovanni Nalesso
    4 months ago

    Never mind. Pushed by your answer I tried to specify path in key parameter in every way I know and find out that the correct way is: folder1/folder2/.../filename (originally tried with /folder1/folder2/.../filename and then ~/folder1/folder2/..../filename Thank you very much for your answer!

0

Hi, Giovanni. I created a console app on a dev machine and was able to get the code to work without a problem.

  • I tried it with the following versions: AWSSDK.Core v3.7.107 and AWSSDK.S3 v3.7.104.26.
  • I also tried it with the current versions and they were also fine.

I did notice that you are missing a comma in your list of permissions. Is that just a copy/paste error, or is it possible that your policy is actually missing the comma?

(I can share the code and policy that I used if you think it would be helpful. (Properly scrubbed, of course.))

AWS
Paul-B-AWS
answered 4 months ago
  • Giovanni Nalesso
    4 months ago

    no, it was just a copy/paste error, thanks for your response.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content