Query parameters with AWS signature version 4 on static website

Question

I can get query parameters with AWS signature version 4 working correctly by following Amazon's documentation at https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html, but I'm unable to do a GET on a static website with query parameters. For instance, if a have a bucket testbucket, https://s3.amazonaws.com/testbucket/key?<QUERY_PARAMS> works fine, but http://testbucket.s3-website-us-east-1.amazonaws.com/key?<QUERY_PARAMS> does not work. Ultimately I'd use a Cloudfront address to get https since static websites don't support https out-of-the-box, but the first step is to get it working with a static website.

I would like to get this working on a static website so I can follow https://aws.amazon.com/blogs/compute/resize-images-on-the-fly-with-amazon-s3-aws-lambda-and-amazon-api-gateway/, which requires forwarding 404 (and 403) GET responses to another host. That blog post does not assume one is using signature version 4 query parameters, which is what is tripping me up.

My question is: How can I set up signature version 4 query parameters to work with a static website?

I've tried changing the endpoint url for the signer to http://testbucket.s3-website-us-east-1.amazonaws.com/key.

Answer 1

The AWS pre-signed signature will only work with S3 API calls. Those being executed against s3.amazonaws.com.

The website endpoints do not support API AWS authentication. This is the reason why it's not working for you.

When you're using S3 to host files that are protected using pre-signed URLs (for example), the files must be served using the API endpoints, not the website endpoints.