1

I've successfuly used curl as a POC to compute signatures on the fly and PUT user files directly to Amazon S3 : Direct file upload to S3 using sigv4

Now I'm working on my real case : browser based uploads using POST.

I'm following the instructions described here : http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-post-example.html

I'm computing my signature and using a corresponding form - minus some fields (see below Form).

Strangely, I got an error after form submit (see below MissingSignatureError)... I'm forced to add a "Signature" field which is not present in the Amazon example form. And when I replace my "X-Amz-Signature" field by "Signature", the typical "SignatureDoesNotMatch" error appears.

This seems very weird to me. Why is this ? Is Amazon not auto. using Sigv4 ? Is the Amazon documentation incorrect ?

Form

<form action="https://??.s3.amazonaws.com/" method="post" enctype="multipart/form-data">
    Key to upload: <input type="input" name="key" value="recordtest/testpost.jpg" /><br />
    Content-Type: <input type="input" name="Content-Type" value="image/jpeg" /><br />
    <input type="hidden" name="AWSAccessKeyId" value="??" />
    <input type="text" name="X-Amz-Credential" value="??/eu-west-1/s3/aws4_request" />
    <input type="text" name="X-Amz-Algorithm" value="AWS4-HMAC-SHA256" />
    <input type="text" name="X-Amz-Date" value="20170301T173312Z" />
    <input type="hidden" name="Policy" value="eyAiZXhwaXJhdGlvbiI6ICIyMDE3LTAzLTAxVDE4OjMzOjEyLjc0MFoiLAogICJjb25kaXRpb25zIjogWwogICAgeyJidWNrZXQiOiAidGVsbWVkLXRlc3QifSwKICAgIHsieC1hbXotY3JlZGVudGlhbCI6ICJBS0lBSlA1STZaS1JPUkpHNDZaQS8yMDE3MDMwMS9ldS13ZXN0LTEvczMvYXdzNF9yZXF1ZXN0In0sCiAgICB7IngtYW16LWFsZ29yaXRobSI6ICJBV1M0LUhNQUMtU0hBMjU2In0sCiAgICB7IngtYW16LWRhdGUiOiAiMjAxNzAzMDFUMTczMzEyWiJ9CiAgXQp9" />
    <input type="hidden" name="X-Amz-Signature" value="38f054500c98f0df20a3bdb165d3a24659dafd5c7f9c8961f7aaa1694660a980" />
    File: <input type="file" name="file" /> <br />
    <!-- The elements after this will be ignored -->
    <input type="submit" name="submit" value="Upload to Amazon S3" />
  </form>

MissingSignatureError

<Error>
<Code>InvalidArgument</Code>
<Message>
Bucket POST must contain a field named 'Signature'. If it is specified, please check the order of the fields.
</Message>
</Error>

SignatureDoesNotMatch

<Error>
<Code>SignatureDoesNotMatch</Code>
<Message>
The request signature we calculated does not match the signature you provided. Check your key and signing method.
</Message>
...
</Error>
Community
  • 1
  • 1
Azzip
  • 122
  • 10
  • 2
    This may or may not be a duplicate of [AWS S3 browser upload using HTTP POST gives invalid signature](http://stackoverflow.com/a/40823111/1695906) but the issue seems to be very similar -- you're intermingling elements of Signature V2 (`AWSAccessKeyId`) and Signature V4 (`X-Amz-Credential` and `X-Amz-Signature`). You don't want both. Remove `AWSAccessKeyId`. – Michael - sqlbot Mar 02 '17 at 00:46
  • Yes, I realized this myself later while recopy-pasting the Amazon example. For some reason, if you're adding some superfluous Signature V2 fields such as "AWSAccessKeyId", Amazon is using Signature V2. In other words, the X-Amz-Algorithm is not necessarily the only field considered for testing your signature ... Anyway, thanks for the answer, now everything works. Next step will be multi-part simultaneous upload :) – Azzip Mar 02 '17 at 09:40
  • Correct. Once the system has "concluded" that you're using V2, the authentication code isn't going to proceed to a point where `X-Amz-Algorithm` would be checked unless you had a full set of V2 parameters (`AWSAccessKeyId`, `Signature`, `Expires`). If *that* is true, the system would *then* complain that you were sending conflicting auth version parameters. I'm glad you got it fixed. Good luck with implementing multipart -- it definitely can be done, I've done it myself. I'm going to go ahead and mark this question as a duplicate of the other one. – Michael - sqlbot Mar 02 '17 at 11:54
  • Potentially useful for your multipart adventure: the `ETag` of the final object uses a different algorithm than is used for objects created with a single `PUT`. It's the hex MD5 of the concatenated binary MD5s of the parts, then `-`, then the number of parts, [as described here](http://stackoverflow.com/a/19896823/1695906). – Michael - sqlbot Mar 02 '17 at 12:02

0 Answers0