2

This AWS security stuff is driving me nuts. I'm trying to upload some binary files from a node app using knox. I keep getting the infamous SignatureDoesNotMatch error with my key/secret combination. I traced it down to this: with e.g. Transmit, I can access the bucket by connecting to s3.amazonaws.com, but I cannot access it via the virtual subdomain mybucket.s3.amazonaws.com. (When I try to access the bucket with the s3.amazonaws.com/mybucket syntax, I get an error saying that only the subdomain style is allowed.)

I have tried setting the bucket policy to explicitly allow PUT from the respective user, but that had no effect. Can anyone please shed some light on how I can enable uploading of files from one specific AWS user?

ben75
  • 29,217
  • 10
  • 88
  • 134
DaGaMs
  • 1,521
  • 17
  • 26
  • S3 uses HMAC signature to verify requests. It will try to reconstruct the signature server side to verify that you are who you say you are. How are you generating your signature? – datasage Jun 10 '13 at 00:36
  • I'm not doing that manually, but I doubt that's the problem: as I said, I can connect fine to the "top-level" location with Transmit, so clearly Transmit generates valid signatures. What would the difference be between connecting to `s3.amazonaws.com` and `myapp.s3.amazonaws.com`? – DaGaMs Jun 10 '13 at 14:04

1 Answers1

0

After a lot of trial and error, I narrowed it down to a couple of issues. I'm not entirely sure which one ultimately fixed it, but here are a few things you might want to try:

  • make sure you are setting the right datacenter. In my case, this looked like this:

    knox.createClient({
       key: this.config.key
  , secret: this.config.secret
  , bucket: this.config.bucket
  , region: 'us-west-2' // cause my bucket is supposed to be in oregon
});

  • Check your PUT headers. In my case, the Content-Type was accidentally set to undef which caused issues:

    var headers = {
    'x-amz-acl': 'public-read' // if you want anyone to be able to download the file
};
if (filesize) headers['Content-Length'] = filesize;
if (mime) headers['Content-Type'] = mime;
DaGaMs
  • 1,521
  • 17
  • 26
  • 1
    there is a similar problem with a solution at http://stackoverflow.com/questions/21452756/how-do-i-client-side-upload-a-viewable-file-to-amazon-s3/28699269#28699269 . Seems headers like Content-Type and Content-Length will often trip you up if you haven't included them as parameters to getSignedUrl. When the client makes the upload, they will often have Content-Type and Content-Length included in the headers (as required by HTTP when there is a body of data)... if those weren't pre-specified to getSignedUrl then the signatures won't match. – Reinsbrain Feb 26 '15 at 00:27