By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Creating presiged URL manually from my code

0

Hi, I am trying to create a signed URL manually (I don't want to use AWS SDK) following this article -> https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html

My Canonical request looks like this (ASIAMYTEMPCRED and MYSESSIONTOKENENCODED are real values in my code):

GET
/spa-11.0-100.zip
x-amz-algorithm=AWS4-HMAC-SHA256&x-amz-credential=ASIAMYTEMPCRED%2F20240204%2Fus-east-1%2Fs3%2Faws4_request&x-amz-date=20240204T000500Z&x-amz-expires=3600&x-amz-security-token=MYSESSIONTOKENENCODED&x-amz-signedheaders=host
host:dinikoli.s3.amazonaws.com

host
UNSIGNED-PAYLOAD

and string to sign like:

AWS4-HMAC-SHA256
20240204T000500Z
20240204/us-east-1/s3/aws4_request
18150b2fb497b35653a4a368267725961424324885667c28558dd1a94f8a07c1

When I create the signing key, calculate the signature, and create the URL:

https://dinikoli.s3.us-east-1.amazonaws.com/spa-11.0-100.zip?x-amz-algorithm=AWS4-HMAC-SHA256&x-amz-credential=ASIAMYTEMPCRED%2F20240204%2Fus-east-1%2Fs3%2Faws4_request&x-amz-date=20240204T000500Z&x-amz-expires=3600&x-amz-signedheaders=host&x-amz-security-token=MYSESSIONTOKENENCODED&x-amz-signature=e37415ac8e8297408897f80d5647fa060416c0d8c26d808721dd5e549ba3b121

I get

<Error>
<Code>AccessDenied</Code>
<Message>No AWSAccessKey was presented.</Message>
<RequestId>5FNF7NPG9JMA6V54</RequestId>
<HostId>/lbhq132AazDnRsvl6QqXb78LbiIYVaJNYF29WbamdCInhYqHN/boGJW3lm4EYLHIeWPlHiRukc=</HostId>
</Error>

which doesn't give me much information. Could you advise what can be an issue here? I would be happy to share more information if you need.

Thanks, Dimitrije

Topics
Storage
Tags
presigned URL
Language
English
Dimitrije
asked 3 months ago208 views
1 Answer
0

Hello,

It seems you are getting an Access Denied error when trying to resolve an S3 endpoint. This typically occurs when the IAM role being used does not have the necessary permissions to access the S3 bucket. Please check the following :

  • Verify the IAM policy attached to the role has permissions to access S3, such as s3:ListBucket.
  • Check if the bucket policy allows the IAM principal (role ARN) to access the bucket. Bucket policies override any IAM policies.
  • Make sure the S3 endpoint is of type REST API and not website hosting. Website hosting endpoints have different permission requirements.
  • If using VPC endpoints for S3, check that the endpoint policy grants access to the necessary principals like the instance profile role.
  • Review any condition keys used in the IAM policy. The keys must match the API call context for the policy to take effect.

Refer to the AWS documentation on troubleshooting S3 API access issues for more help. [1] Why am I getting an Access Denied error when I open the URL to an Amazon S3 object that I have access to? https://repost.aws/knowledge-center/s3-access-denied-error [2] How can I troubleshoot an S3AccessDenied error from my file gateway's CloudWatch health logs? https://repost.aws/knowledge-center/file-gateway-troubleshoot-s3accessdenied [3] How can I troubleshoot Amazon S3 endpoint connection test failures when using AWS DMS? https://repost.aws/knowledge-center/dms-connection-test-fail-s3

Timothy
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content