By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Got SignatureDoesNotMatch when appending pre-signed URL retrieved from CreateUserImportJob to browser

0

I am working on Restful API which makes use of AWS SDK for java to call CreateUserImportJob. I want to get a pre-signed URL to upload CSV file for doing bulk Cognito user import. I am using Postman to call my API which calls CreateUserImportJob API on AWS. I got the pre-signed URL from the response and paste it to a browser right away. However, I always get the following error:

<Error> <Code>SignatureDoesNotMatch</Code> <Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message>

After some research the bucket name from the returned pre-signed URL is called "aws-cognito-idp-user-import-yul". It seems like it is an AWS internal specific bucket for user import job. This bucket can't be seen even by administrator but you can't create a bucket with this name either as it exists already. I wonder if this is the reason that I got SignatureDoesNotMatch error as I am trying to upload file to this AWS user import specific S3 folder.

Any idea how to resolve this problem is greatly appreciated.

Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceAmazon Cognitopresigned URL
Language
English
swai01
asked 3 months ago234 views
2 Answers
1

This may be a longshot, but I've had a similar issue in the past if key contains special characters like %, /, +, or .

AWS
Matthew Jorat
answered 3 months ago
  • swai01
    3 months ago

    Hi Matthew, thank you for your answer. When you say the key, do you mean the Amz-Security-Token, Amz-SignedHeaders, Amz-Credential or Amz-Signature? Thanks again.

  • swai01
    3 months ago

    In addition, I got the S3 bucket name "aws-cognito-idp-user-import-yul" from the pre-signed URL. Is this the right S3 bucket name when pre-signed URL is generated through CreateUserImportJob? Thanks everyone again.

0

By key, I mean the secretAccessKey. I recall only having issues when using the link in the browser, but not generating the link. I came across this github issue that sounds similar. See if this helps. https://github.com/aws/aws-sdk-js/issues/3319

AWS
Matthew Jorat
answered 3 months ago
  • swai01
    3 months ago

    Thank you Matthew. I checked my secretAccessKey but it doesn't have any non-alphanumeric characters. After some research the bucket name from the returned pre-signed URL is called "aws-cognito-idp-user-import-yul". It seems like it is an AWS internal specific bucket for user import job. This bucket can't be seen even by administrator but you can't create a bucket with this name either as it exists already. I wonder if anyone has ever upload any file to this bucket before? Thanks again.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content