As per the boto3 docs, the generate_presigned_url method takes ClientMethod argument, which is the method for which the presigned url has to be created. So which client methods are supported by it?
I tried, head_object method. It failed to work on sending request to presigned url and I got SignatureDoesNotMatch error.
Related
I am using CreatePolicy API to create a policy with specific permissions. Initially passed json code as a value to query string parameter "PolicyDocument" but the request failed with code 400 Bad request. While testing through postman found that we have to urlencode given policy document. This solution worked fine on postman but not on my HTTP Client. Error - "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details". Code is working fine for all other APIs even for IAM Get request, but failing when policy doc is being sent as a query string or as a body. Possibly there is something wrong while calculating the signature for IAM api with url encoded policy doc.
Ref - https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html
Tried passing policy doc as a request body and header - "Content-Type:application/x-www-form-urlencoded". (body is JSON converted to string)
Tried passing policy doc as a query parameter which is url-encoded
Note - Both these methods worked fine when testing them through postman
I am using AWS Cloudfront to serve static html and images from a private s3 bucket. I need an authentication layer and have a requirement to use Microsoft SSO. To trigger the authentication check, I have a Lambda function connected to a Cloudfront Viewer Request.
From what I understand, I need to return the Request in a callback method when I want to get past the viewer request (after authentication). My issue is that the Microsoft SSO redirect's to the Cloudfront URL using an HTTP POST. If I return the request, Cloudfront attempts to POST to an S3 (or sends a MethodNotAllowed when I disable POST). I need this to be a GET request, but do not know how I can change it. According to the docs, the HTTP of the request object is read only.
I have tried redirecting to the Cloudfront URL when posting or serving a simple HTML that links to the html I want, but these both result in the Viewer Request being called again.
Has anyone handled a similar situation?
You should be able to return a redirect, but set the status code to 303 instead of one of the other 3xx codes. This is See Other which results in the browser following the redirect but using GET on the second request. There is no way to trick CloudFront into believing the method changed -- a redirect is required.
I am trying to understand how PUT method works for uploading a file to s3 using presigned url.
I am generating a presigned url using boto3 library for a put call. The generated url looks like this:
https://My_bucket.s3.amazonaws.com/?AWSAccessKeyId=<ACCESS_KEY>&Signature=<Signature>&x-amz-security-token=<SEC_TOKEN>&Expires=<Expires>
In order to generate a v4 signature, I need KeyId and SecretAccessKey.
If we look at the url above, we can see that the KeyId matches to AWSAccessKeyId but there is no SecretAccessKey.
I have generated the presigned url using an account that has administrative privileges (it also has read/write access to the s3 bucket). From my understanding, any non privileged user can use the information in the link to upload a file to s3.
There is quite a bit of documentation but frankly, I am extremely confused.
I would appreciate if someone can explain
1. how the signature is used.
2. Where is the secret_access_key? Is this derived from signature?
3. How do I correctly generate a v4 signature using the uri query parameters from the signed url?
When I tried to use the signature I generated, I get an error
The authorization header is malformed; the authorization component
"Credential=SIGNATURE/20191217/ap-south-1/s3/aws4_request" is malformed.
The issue here was, the location of the bucket is in different region than the code that generates the pre-signed url.
The following code works for me.
import boto3
from botocore.client import Config
s3_client = boto3.client('s3', endpoint_url='http://s3.ap-south-1.amazonaws.com', config=boto3.session.Config(signature_version='s3v4'))
response = None
try:
response = s3_client.generate_presigned_url(
'put_object',
Params={
'Bucket': 'bucket-name-to-presign-south1',
'Key': 'car.jpg'},
ExpiresIn=5000)
print(response)
except Exception as e:
print("In client error exception code")
print(e)
The following reference helped me to look in the right direction:
https://javiermunhoz.com/blog/2016/02/01/on-s3-endpoints-regions-signatures-and-boto-3.html
I created an AWS Lambda function which invokes the endpoint of ML model I created in sagemaker. I tested it and it's working fine. Next I created REST API that calls this lambda function. I set any authentication type as NONE. Anyone with the url can access it. I created it following this aws blog. I tested my url in postman. It's working fine in postman but when I entered the url in chrome, its throwing {"message":"Missing Authentication Token"} error. Can someone please tell how do I get rid of that error while testing my url in chrome
The error is misleading. It's got absolutely nothing to do with tokens. What is actually happening is that the URL you are trying to access is invalid.
API Gateway's URL looks like this: https://xxxxxxx.execute-api.some-region.amazonaws.com/your-stage but it's very likely that you created an endpoint on API Gateway, which would then be accessible via https://xxxxxxx.execute-api.some-region.amazonaws.com/your-stage/YOUR_ENDPOINT
If you hit the base URL or a path which does not exist, you will get that weird, misleading Missing Authentication Token message.
So, long story short, hit a valid path for your API and it should work just fine.
Tip: maybe you are doing a POST request via Postman but whenever you try with the browser it issues a GET request, which would also result in an invalid path and therefore the Missing Authentication Token message.
I'm trying to send a POST request to a REST service via AWS API Gateway.
The content-type of the request should be 'application/x-www-form-urlencoded'. It's an authentication service that I'm trying to access. I'm sending 'username' and 'password' in my request body.
When I send the the request via Postman, it works ( It's giving me the proper response ).
But I want to create an API from the API Gateway to access this endpoint.
When I create a POST method in the API Gateway and try to test it without specifying any content-type, the back-end server tells me to send the request by using the content-type 'application/x-www-form-urlencoded'.
Then when I try to put the content-type in 'Mapping Template' section in the 'Integration Request' of the API, the request doesn't even hit the backend. There's an error ( a JSON response ) comes when I test it, saying 'Unsupported Media Type'.
Does anyone out here knows any workaround for this?
I found the solution.
In order to access a POST service using the content-type ‘application/x-www-form-urlencoded’ in API Gateway, make sure you are doing the following in the API console.
Make sure you have enabled the ‘Use HTTP Proxy integration’ as the following in the ‘Integration Request’ section.
When you test the request, make sure you are putting the content type ‘application/x-www-form-urlencoded’ inside the Header’s box as in the following.
And the request body should be like the following as well.
username=user#wellcomww.com.au&password=123456