Reputation: 31
SignatureDoesNotMatch error when sending optional parameters to AWS S3
I’m trying to use getBucketObjectVersions operation with signature v4 to get the bucket object versions. If I don’t add any request parameters as mentioned in the sample request below, I am able to get the response successfully.
GET /signv4testq23a1/?versions
Authorization: AWS4-HMAC-SHA256 Credential=AKXXXXXXXXXXXEA/20171220/us-east-2/s3/aws4_request,SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date,Signature=fe3d26c4sdasdasd7fa15324XXXXX563dsf148df58d131b4cede6
x-amz-content-sha256: UNSIGNED-PAYLOAD
x-amz-date: Wed, 20 Dec 2017 07:22:14 GMT
Content-Type: application/xml
Host: s3.us-east-2.amazonaws.comIf I add any request parameters as mentioned in the sample request below I’m getting the SignatureDoesNotMatch error. Please note that the canonical request which is generated when calculating the signature is same as the canonical request expected by the backend service. But getting different hashed canonical request value expected in StringToSign value from backend service.
What could be the reason?
Sample request with request parameter:
GET /signv4testq23a1/?versions&delimiter=/
Authorization: AWS4-HMAC-SHA256 Credential=AKXXXXXXXXXXXEA/20171220/us-east-2/s3/aws4_request,SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date,Signature=192ce5f5e6b661bd5aXXXXXXXXXXXEAe5f50fbe8efda5a3e967d4f27972e
x-amz-date: Wed, 20 Dec 2017 08:53:17 GMT
Content-Type: application/xml
Host: s3.us-east-2.amazonaws.comCannonical request:
GET
/signv4testq23a1/
delimiter=%2F&versions=
content-type:application/xml
host:s3.us-east-2.amazonaws.com
x-amz-content-sha256:UNSIGNED-PAYLOAD
x-amz-date:Wed, 20 Dec 2017 08:53:17 GMT
content-type;host;x-amz-content-sha256;x-amz-date
UNSIGNED-PAYLOADUpvotes: 0
Views: 2279
Answers (1)
Reputation: 179374
This is a problem:
delimiter=%2F&versions=
The keys and values should be url-escaped (encoded), but the & between parameters should not be escaped as &... it should just be &. You need to encode each key and value on its own, rather than the entire string once sorted and assembled.
CanonicalQueryStringspecifies the URI-encoded query string parameters. You URI-encode name and values individually.
http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html
Upvotes: 1
Related Questions
- SignatureDoesNotMatch in aws s3 c# while getting presigned url
- SignatureDoesNotMatch error from S3 putObject
- Fetching AWS S3 Object using Presigned URL "SignatureDoesNotMatch"
- SignatureDoesNotMatch on S3 PUT Request to Presigned URL
- S3 SignedURL UploadPart fails with SignatureDoesNotMatch
- SignatureDoesNotMatch in AWS Java SDK for S3
- SignatureDoesNotMatch when uploading to AWS S3
- AWS S3 GET Request with Query Parameters throws Forbidden (403) with SignatureDoesNotMatch
- AWS Lambda S3 GET/POST - SignatureDoesNotMatch error
- GetPreSignedUrlRequest - SignatureDoesNotMatch