Home > Mobile >  Is there a way to access S3 Presigned URL via IPv6?
Is there a way to access S3 Presigned URL via IPv6?

Time:09-01

I need to access an object from S3 using presigned URL. The problem is that the client doesn't have a public IPv4, so I need to use IPv6. Usually you can just add dualstack to the URL (see https://docs.aws.amazon.com/AmazonS3/latest/userguide/dual-stack-endpoints.html) but a presigned URL includes the certificate only for the one generated. So if you try what I just mentioned, you get this in your response:

<Error>
    <Code>SignatureDoesNotMatch</Code>
    <Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message>
    <AWSAccessKeyId>ACCESSKEY</AWSAccessKeyId>
    <StringToSign>foo</StringToSign>
    <SignatureProvided>foo</SignatureProvided>
    <StringToSignBytes>41 [ ... ] 55 68 </StringToSignBytes>
    <CanonicalRequest>GET /FILE.zip X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=FOO/eu-central-1/s3/aws4_request&X-Amz-Date=20220901T103255Z&X-Amz-Expires=120&X-Amz-Security-Token=TOKEN_FOO&X-Amz-SignedHeaders=host&response-content-disposition=inline host:bucket.s3.dualstack.eu-central-1.amazonaws.com host UNSIGNED-PAYLOAD</CanonicalRequest>
    <CanonicalRequestBytes>47 [ ... ] 41 44</CanonicalRequestBytes>
    <RequestId>RFGJSDFK454B9967</RequestId>
   <HostId>FOO</HostId>
</Error>

I know there are workarounds without using presigned URL, but I'd like to keep the simplicity of the solution

CodePudding user response:

How are you generating the presigned URL? Have you configured the CLI/SDK to use the dual stack endpoints?

boto3 example:

import boto3
from botocore.config import Config
client = boto3.client("s3", config=Config(s3={'use_dualstack_endpoint': True}))
url = client.generate_presigned_url("get_object", Params={"Bucket": "sampleipv6bucket", "Key": "test.json"})

Result:

https://sampleipv6bucket.s3.dualstack.us-east-1.amazonaws.com/test.json?AWSAccessKeyId=ASIA.....
  • Related