403 when accessing S3 signed HTTPS URL with Postman or Python

0

Hi,

I'm writing a tool that has to download files from S3 buckets, using presigned URLs (which I receive from customers, I don't create them myself). By which I mean URLs like the following: https://customer-bucket.s3.amazonaws.com/file.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAJXUV54IKCQRZ6AKQ/20220217/eu-west-1/s3/aws4_request&X-Amz-Date=20220217T114356Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=e257fd0f315cb7351ef4bcb125bdc81de6f4e0d01c50f2c956efae20ee0768b1

When I access those URLs with wget / curl or in the browser, all is well.

But when I try to get the same URLs through Postman or Python.requests, I get a 403 error. I've try setting similar headers (user-agent primarily) as the browser, but without success.

Here is my very simple code:

import requests
payload={}
headers = {
    "Accept-Language": "en-US,en;q=0.5",
    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0",
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
    "Connection": "keep-alive"}
response = requests.request("HEAD", url, headers=headers, data=payload)
print(response.text)

but each time I get a response.status_code of 403

asked 2 years ago2755 views
1 Answer
0

What kind of HTTP action is the URL being encoded as? When a S3 pre-signed URL is created, it is signed for specific actions. Examples are "GET", "HEAD", "PUT", "POST".

Just asking, but are you 100% sure the URL is signed with "HEAD" (I see that is what you are using in code)?

Another couple of items to check:

timpatt
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions