0

The docs for the latest sigv4 s3 browser upload post - http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-post-example.html - show that I need to use x-amz-signature, x-amz-credential, and policy.

If I try that, I get an error saying that I'm missing AWSAccessKeyId, which is not mentioned in the docs, and that the x-amz-signature needs to be signature.

String to sign:

Am I supposed to be doing the base64 bucket policy doc above, or am I supposed to be doing the canonical approach, such as the python post to dynamoDB - http://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html#sig-v4-examples-post.

Signature:

the canonical uses hmac hexdigest hmac.new(signing_key, (string_to_sign).encode('utf-8'), hashlib.sha256).hexdigest()

The upload doc above uses hmac with base64: Base64.encode64(OpenSSL::HMAC.digest('sha256', signaturekey, @policy)).

Under the hood of the ruby sdk, it looks like they are using the non-hmac hexdigest: OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), key, value).

Which method is needed to upload to s3?

FWIW, I'm using a SPA with Rails as an API, so I unfortunately don't have access to any rails view helpers.

I posted a question about my code yesterday, and unfortunately got shown a link that uses rails view helpers

Edit:

What the policy is sending:

{"expiration":"2017-03-06T20:13:51Z",
 "conditions":[
     {"bucket":"example-development"},
     {"x-amz-credential":"AKIAIVVIZJHOBCBAB5CA/20170305/us-west-2/s3/aws4_request"},
     {"x-amz-algorithm":"AWS4-HMAC-SHA256"},
     {"x-amz-date":"20170305T000000Z"}
    ]
 }

What the form is sending:

Policy:"eyJleHBpcmF0aW9uIjoiMjAxNy0wMy0wNlQyMDoxOTowN1oiLCJjb25kaXRpb25zIjpbeyJidWNrZXQiOiJ3YXlkb3BlLWRldmVsb3BtZW50In0seyJ4LWFtei1jcmVkZW50aWFsIjoiQUtJQUlWVklaSkhPQkNCQUI1Q0EvMjAxNzAzMDUvdXMtd2VzdC0yL3MzL2F3czRfcmVxdWVzdCJ9LHsieC1hbXotYWxnb3JpdGhtIjoiQVdTNC1ITUFDLVNIQTI1NiJ9LHsieC1hbXotZGF0ZSI6IjIwMTcwMzA1VDAwMDAwMFoifV19"
X-Amz-Signature:"Cqjvo9aYCrb8PYHD+mUDjlOwKUzTpsI4d5/oycFAUBA="
key:"uploads/photo/photo/126/photo.jpg"
x-amz-algorithm:"AWS4-HMAC-SHA256"
x-amz-credential:"AKIAIVVIZJHOBCBAB5CA/20170305/us-west-2/s3/aws4_request"
x-amz-date:"20170305T000000Z"

The bucket policy and CORS contain zero conditions.

Community
  • 1
  • 1
Jack Rothrock
  • 407
  • 1
  • 8
  • 21
  • You need `X-Amz-Algorithm` with a value of `AWS4-HMAC-SHA256` in your form and policy. You didn't mention this, and if it's absent, that might trigger the message about `AWSAccessKeyId` (which you should not typically use). And you shoud be using the policy document. – Michael - sqlbot Mar 05 '17 at 19:32
  • Updated with data that is being sent – Jack Rothrock Mar 05 '17 at 20:23

1 Answers1

0

With an s3 browser upload, the string to sign should be the bucket config: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-UsingHTTPPOST.html

Follow the links at the bottom of the page.

Jack Rothrock
  • 407
  • 1
  • 8
  • 21