Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter..?

Question

I am trying to send a PUT request to an amazonS3 presigned URL. My request seems to be called twice even if I only have one PUT request. The first request returns 200 OK, the second one returns 400 Bad Request.

Here is my code:

var req = {
    method: 'PUT',
    url: presignedUrl,
    headers: {
        'Content-Type': 'text/csv'
    },
    data: <some file in base64 format>
};

$http(req).success(function(result) {
    console.log('SUCCESS!');
}).error(function(error) {
    console.log('FAILED!', error);
});

The 400 Bad Request error in more detail:

<?xml version="1.0" encoding="UTF-8"?>
<Error>
   <Code>InvalidArgument</Code>
   <Message>Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter, Signature query string parameter or the Authorization header should be specified</Message>
   <ArgumentName>Authorization</ArgumentName>
   <ArgumentValue>Bearer someToken</ArgumentValue>
   <RequestId>someRequestId</RequestId>
   <HostId>someHostId</HostId>
</Error>

What I don't understand is, why is it returning 400? and What's the workaround?

Answer 1

I was also facing the same error so to remove Authorization, you can do like following, this will work!!!

const uploadAxios = axios.create({
    headers: {
      Accept: 'application/json',
      Authorization: undefined,
    },
  });

  const uploadFileToPresignedUrl = async (uploadUrl, fileType, file) => {
    try {
      const response = await uploadAxios.put(uploadUrl, file, {
        headers: {
          'Content-Type': fileType,
        },
      });

      console.log('headers ', response.headers);
    } catch (error) {
      console.error('PUT request failed:', error);
    }
  };

Answer 2

Flutter: if you experience this with the http dart package, then upgrade to Flutter v2.10!

Related bugs in dart issue tracker:

• https://github.com/dart-lang/sdk/issues/47246
• https://github.com/dart-lang/sdk/issues/45410

--> these has been fixed in dart 2.16, which has been shipped with Flutter v2.10! https://medium.com/dartlang/dart-2-16-improved-tooling-and-platform-handling-dd87abd6bad1

Answer 3

I was using django restframework. I applied Token authentication in REST API. I use to pass token in request header (used ModHeader extension of Browser which automatically put Token in Authorization of request header) of django API till here every thing was fine.

But while making a click on Images/Files (which now shows the s3 URL). The Authorization automatically get passed. Thus the issue.

Link look similar to this.

https://.s3.amazonaws.com/media//small_image.jpg?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=XXXXXXXXXXXXXXXXXXXXX%2F20210317%2Fap-south-XXXXXXXXFaws4_request&X-Amz-Date=XXXXXXXXXXXXXXX&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

I lock the ModHeader extension to pass Authorization Token only while making rest to REST API and not while making resquest to S3 resources. i.e. do not pass any other Authorization while making request to S3 resource.

It's a silly mistake. But in case it helps.

Answer 4

import 'package:dio/adapter.dart';
import 'package:dio/dio.dart';
import 'package:scavenger_inc_flutter/utils/AuthUtils.dart';
import 'package:scavenger_inc_flutter/utils/URLS.dart';

class ApiClient {
  static Dio dio;

  static Dio getClient() {
    if (dio == null) {
      dio = new Dio();
      dio.httpClientAdapter = new CustomHttpAdapter();
    }
    return dio;
  }
}

class CustomHttpAdapter extends HttpClientAdapter {
  DefaultHttpClientAdapter _adapter = DefaultHttpClientAdapter();

  @override
  void close({bool force = false}) {
    _adapter.close(force: force);
  }

  @override
  Future<ResponseBody> fetch(RequestOptions options,
      Stream<List<int>> requestStream, Future<dynamic> cancelFuture) async {
    String url = options.uri.toString();
    if (url.contains(URLS.IP_ADDRESS) && await AuthUtils.isLoggedIn()) {
      options.followRedirects = false;
      options.headers.addAll({"Authorization": await AuthUtils.getJwtToken()});
    }
    final response = await _adapter.fetch(options, requestStream, cancelFuture);

    if (response.statusCode == 302 || response.statusCode == 307) {
      String redirect = (response.headers["location"][0]);
      if(!redirect.contains(URLS.IP_ADDRESS)) {
        options.path = redirect;
        options.headers.clear();
      }
      return await fetch(options, requestStream, cancelFuture);
    }

    return response;
  }
}

1. I disallowed following redirects.

2. Used the response object to check if it was redirected.

3. If it was 302, or 307, (HTTP Redirect Codes), I resent the request after clearing the Auth Headers.

4. I used an additioal check to send the headers only if the path contained my specific domain URL (or IP Address in this example).

All of the above, using a CustomHttpAdapter in Dio. Can also be used for images, by changing the ResponseType to bytes.

Let me know if this helps you!

Answer 5

The message says that ONLY ONE authentication allowed. It could be that You are sending one in URL as auth parameters, another - in headers as Authorization header.

Answer 6

For the Googlers, if you're sending a signed (signature v4) S3 request via Cloudfront and "Restrict Bucket Access" is set to "Yes" in your Cloudfront Origin settings, Cloudfront will add the Authorization header to your request and you'll get this error. Since you've already signed your request, though, you should be able to turn this setting off and not sacrifice any security.

Answer 7

Also, the 400 "invalid argument" may surface as a result of wrong config/credentials for your S3::Presigner that is presigning the url to begin with. Once you get past the 400, you may encounter a 501 "not implemented" response like I did. Was able to solve it by specifying a Content-Length header (specified here as a required header). Hopefully that helps @arjuncc, it solved my postman issue when testing s3 image uploads with a presigned url.

Answer 8

I know this may be too late to answer, but like @mlohbihler said, the cause of this error for me was the Authorization header being sent by the http interceptor I had setup in Angular. Essentially, I had not properly filtered out the AWS S3 domain so as to avoid it automatically getting the JWT authorization header.

Answer 9

Your client is probably sending an initial request that uses an Authorization header, which is being responded with a 302. The response includes a Location header which has a Signature parameter. The problem is that the headers from the initial request are being copied into the subsequent redirect request, such that it contains both Authorization and Signature. If you remove the Authorization from the subsequent request you should be good.

This happened to me, but in a Java / HttpClient environment. I can provide details of the solution in Java, but unfortunately not for AngularJS.