Reputation: 43
How to use my signed-certificate to generate pre-signed URL to object at Amazon S3
I'd like to generate secure pre-signed url for the objects stored in Amazon S3. After I call generatePresignedUrl function in the Java SDK by passing resource key and bucket name, it returns an URL whose format is like https://{bucketname}.amazonaws.com{key}?AWSAccessKeyId=AKIAJ2ZNsY7UUIH7XMQA&Expires=1510834637&Signature=mkRSZBMdf4kAqCQr%2FMLQ2BMMI86Q%3D
The returned URL is being accessed by XMLHttpRequest via JavaScript code. I'm doing simple GET request to my URL and I get the error ERR_INSECURE_RESPONSE in the web browser. The reason is that certificate used in data transfer is a user-signed certificate, that means not validated by certificate authority, so that's why browser refuses to get the resource. I'd like to use my signed certificate in resource access at Amazon S3 to prevent this error to come out. How can I instruct Amazon S3 to use my certificate rather than continue to use Amazon's unsecure user-signed certificate?
Greatly appreciated...
Upvotes: 3
Views: 2825
Answers (3)
Reputation: 353
Following from Yves' answer, you can generate presigned URLs that work with SSL using the JAVA SDK by specifying an empty bucket and concatenating the bucket with the object key.
So if you had the following call before:
s3Client.generatePresignedUrl(<bucket>, <key>, <expiration>)
You can get a valid and SSL friendly url by instead calling:
s3Client.generatePresignedUrl("", <bucket> + "/" + <key>, <expiration>)
Upvotes: 1
Reputation: 31006
Explicitly specify the region during presign
When you get an URL pre-signature, you can use many different URLs (not mentioning HTTP and HTTPS variations of the URL).
Note that I'm deliberately choosing a bucket name with a dot: bucket.name
If you go aws s3 presign s3://bucket.name/object you get
https://s3.amazonaws.com/bucket.name/object?AWSAccessKeyId=xxxxx&Signature=xxxxx&Expires=1543942893
Which redirects you to
https://bucket.name.s3.amazonaws.com/object?AWSAccessKeyId=xxxxx&Signature=xxxxx&Expires=1543942893
As mentioned, the dot in the bucket name will make the default certificate invalid.
But when you explicitly specify the region like that aws s3 presign --region=eu-west-1 s3://bucket.name/object you get:
Which is working nicely without needing you to remove the dot in your bucket name.
Upvotes: 0
Reputation: 43
I found the error. It's because my bucket name contains dots, and because of that the browser recognized it as a different domain and did not validate the security certificate issued by Amazon.
Upvotes: 1
Related Questions
- GET or PUT objects on Amazon S3 with pre-signed URL
- How do I put object to amazon s3 using presigned url?
- How to upload objects to local s3 using pre-signed url
- How to generate an AWS S3 Pre-Signed URL
- How to enforce SSL on presigned S3 URL
- Format of S3 pre-signed URLs
- JavaScript Using Pre-Signed Url to Save to S3
- AWS Pre signed URL
- Creating a signed S3 URL with Javascript
- Generate a pre signed S3 URL using the Javascript AWS SDK