1

I am trying to make a Http request to amazon s3(get a file) but I am getting a forbidden error.

Here is my code:

string today = DateTime.UtcNow.ToString("ddd,' 'dd' 'MMM' 'yyyy' 'HH':'mm':'ss' 'zz00", new System.Globalization.CultureInfo("en-US"));
string bucket = "rethymno";
string path = "/aasdf.txt";
string stringToSign = "GET" +
                      "\n" +
                      "\n" +
                      "\n" +
                      today + "\n"+ 
                      "/" + bucket + path;

string AWSSecret = "xxx";
string AWSKey = "xxx";
Encoding ae = new UTF8Encoding();
HMACSHA1 signature = new HMACSHA1(ae.GetBytes(AWSSecret));
string encodedCanonical = Convert.ToBase64String(signature.ComputeHash(ae.GetBytes(stringToSign)));
string authHeader = "AWS " + AWSKey + ":" + encodedCanonical;
string url = "http://"+bucket+".s3.amazonaws.com"+path;

HttpWebRequest request = WebRequest.Create(url) as HttpWebRequest;

request.Headers.Add("Authorization", authHeader);
request.Headers.Add("x-amz-date", today);

HttpWebResponse res = request.GetResponse() as HttpWebResponse;

any suggestions fixing this issue ?

franklinsijo
  • 17,784
  • 4
  • 45
  • 63
kostas
  • 87
  • 1
  • 1
  • 5
  • Are you sure your signature generation is correct and that your secret and key grant access to the resource? Have you tried doing what you're doing with the [AWS CLI](https://aws.amazon.com/cli/) or through the [AWS SDK for .net](https://aws.amazon.com/sdk-for-net/)? – wkl Jan 19 '17 at 15:41
  • It is strongly advised that you use the SDKs whenever possible. The SDKs will handle the request signing for you. This will be much less error prone. – spg Jan 19 '17 at 17:02
  • i used the SDK for testing and everything worked fine. I must use rest api for my solution. Is there any examples of signature generation? i searched amazon documentation but i came up to this code above. – kostas Jan 19 '17 at 17:44
  • You say it's a `Forbidden` error... but what does the XML in the response body look like? S3 errors are usually pretty informative. – Michael - sqlbot Jan 20 '17 at 02:29
  • i cant get an s3 error since its an http request. Am i wrong? – kostas Jan 20 '17 at 14:19
  • The HTTP request should return an XML block that describes the problem if you're getting errors. – wkl Jan 20 '17 at 18:21
  • wkl is correct there should be an error message returned in the content of the response. It wil be in xml format. – kaifong Apr 26 '18 at 12:25

1 Answers1

0

Here is how the signature works: http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html

Read through the steps here: http://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html

Things to pay attention to: - signing algorithm (SHA1 or SHA256). I don't see in passed in the headers for you - time on your computer. make sure the time and the tz is correct or the signing will fail - the request is in a canonical form (the right string stripping / substitutions happen). The parameters are sorted - you specify the signature version + you use the right date. see: http://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html (does not look like you are doing the right things).

As other comments say: when given the choice use the SDK or for the language you are using find an example someone already has working.

Mircea
  • 10,216
  • 2
  • 30
  • 46
  • The code above is [Signature Version 2](http://docs.aws.amazon.com/general/latest/gr/signature-version-2.html). At first glance it looks pretty close. Not all regions support Sig V2 but there's a [specific error](http://stackoverflow.com/a/26538266/1695906) for that condition. – Michael - sqlbot Jan 20 '17 at 02:27
  • still cant make it work. i changed the code. i woud appreciate it if you could take a look on the newest post. – kostas Jan 20 '17 at 14:26