CODEWITHSUNDEEP
amazon-web-servicesamazon-s3
NutcaseDeveloper
NutcaseDeveloper

Reputation: 191

AWS S3 GET Request with Query Parameters throws Forbidden (403) with SignatureDoesNotMatch

I am stuck with a very weird issue while trying to perform a GET request on AWS S3 with Canonical Request with Query Parameters. Below is my canonical Request which is failing.

Canonical Request with Query Parameters:

GET
/
list-type=2&prefix=20170120
content-type:text/plain
host:<bucket>.s3-ap-south-1.amazonaws.com
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b785
2b855
x-amz-date:20170217T084710Z

content-type;host;x-amz-content-sha256;x-amz-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

I am getting this 403 Error in the response.

<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><AWSAccessKeyId>******MyAccessKey******</AWSAccessKeyId><StringToSign>AWS4-HMAC-SHA256
20170217T084710Z
20170217/ap-south-1/s3/aws4_request
a34d06c9bbfb4f1c6ac8f168843fdac894b40251179cd0846c046bdf25e0576a</StringToSign><SignatureProvided>c6ac3eaba7b1ba2f4e83c296a5132aaed76d96845e995896db0490a1850d5934</SignatureProvided><StringToSignBytes>41 57 53 34 2d 48 4d 41 43 2d 53 48 41 32 35 36 0a 32 30 31 37 30 32 31 37 54 30 38 34 37 31 30 5a 0a 32 30 31 37 30 32 31 37 2f 61 70 2d 73 6f 75 74 68 2d 31 2f 73 33 2f 61 77 73 34 5f 72 65 71 75 65 73 74 0a 61 33 34 64 30 36 63 39 62 62 66 62 34 66 31 63 36 61 63 38 66 31 36 38 38 34 33 66 64 61 63 38 39 34 62 34 30 32 35 31 31 37 39 63 64 30 38 34 36 63 30 34 36 62 64 66 32 35 65 30 35 37 36 61</StringToSignBytes><CanonicalRequest>GET
/

content-type:text/plain
host:<bucket>.s3-ap-south-1.amazonaws.com
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date:20170217T084710Z

content-type;host;x-amz-content-sha256;x-amz-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855</CanonicalRequest><CanonicalRequestBytes>47 45 54 0a 2f 0a 0a 63 6f 6e 74 65 6e 74 2d 74 79 70 65 3a 74 65 78 74 2f 70 6c 61 69 6e 0a 68 6f 73 74 3a 6d 65 64 69 2d 61 73 73 69 73 74 2e 73 33 2d 61 70 2d 73 6f 75 74 68 2d 31 2e 61 6d 61 7a 6f 6e 61 77 73 2e 63 6f 6d 0a 78 2d 61 6d 7a 2d 63 6f 6e 74 65 6e 74 2d 73 68 61 32 35 36 3a 65 33 62 30 63 34 34 32 39 38 66 63 31 63 31 34 39 61 66 62 66 34 63 38 39 39 36 66 62 39 32 34 32 37 61 65 34 31 65 34 36 34 39 62 39 33 34 63 61 34 39 35 39 39 31 62 37 38 35 32 62 38 35 35 0a 78 2d 61 6d 7a 2d 64 61 74 65 3a 32 30 31 37 30 32 31 37 54 30 38 34 37 31 30 5a 0a 0a 63 6f 6e 74 65 6e 74 2d 74 79 70 65 3b 68 6f 73 74 3b 78 2d 61 6d 7a 2d 63 6f 6e 74 65 6e 74 2d 73 68 61 32 35 36 3b 78 2d 61 6d 7a 2d 64 61 74 65 0a 65 33 62 30 63 34 34 32 39 38 66 63 31 63 31 34 39 61 66 62 66 34 63 38 39 39 36 66 62 39 32 34 32 37 61 65 34 31 65 34 36 34 39 62 39 33 34 63 61 34 39 35 39 39 31 62 37 38 35 32 62 38 35 35</CanonicalRequestBytes><RequestId>053E8FA17F65DD3D</RequestId><HostId>b+BWn4unlVXDA28WO6H+R6T7cLSdwADlsCxGmzlbjTI3jGpAY5jNVedAcL7Jta5zcCISd2R7e6o=</HostId></Error>

Now when I do the same request without the query string, it works fine.

Canonical Request which works

GET
/

content-type:text/plain
host:<bucket>.s3-ap-south-1.amazonaws.com
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b785
2b855
x-amz-date:20170217T094656Z

content-type;host;x-amz-content-sha256;x-amz-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

My credentials have Admin Privileges so all actions are allowed on the bucket. Can someone please help me point out what I am doing wrong here?

Upvotes: 0

Views: 1978

Answers (1)

NutcaseDeveloper
NutcaseDeveloper

Reputation: 191

Just realized my mistake while reviewing the question. I was missing the query string parameter while making the request. That is where the issue was happening. I should have checked the response Canonical Request String which clearly shows the query string missing.

Incorrect URI : https://<bucket>.s3-ap-south-1.amazonaws.com/ This will cause error as S3 will not see the query string parameter in the request but the same will be available in the Canonical Request.

Correct URI (with query string parameter) : https://<bucket>.s3-ap-south-1.amazonaws.com/?list-type=2&prefix=20170120 This will work as now s3 will see query string in the raw request and the same will be available in the canonical request as well.

Upvotes: 1

Related Questions