-
Notifications
You must be signed in to change notification settings - Fork 100
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
S3 requests is not correctly signed #238
Comments
@littlekid440 what package and method were you using? |
@isoos this is for aws_s3_api. I have tried a few method and i'm facing the same issue with all of them. eg. |
I wonder if this is a consequence of this commit. |
I've digged further into this, and I found when looking at the signing documentation
Somewhere in the specs there should be an indication whether the header should be signed or not. I haven't found it yet though. |
Yeah, it seems to be a non-documented/implicit knowledge. https://github.com/aws/aws-sdk-js seems to use the presence of |
Just checked S3 spec: "metadata": {
"signatureVersion": "s3"
} In the docs, most things go into query params https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html . |
Hi @Schwusch, I'm also having the same issue as @littlekid440 When signing S3's PutObject operation via aws_s3_api, I'm getting:
It seems that S3 expects 'X-Amz-Security-Token' header to be signed in and here you are not signing it. Do you have any ETA on when this will be addressed? As a workaround, I'm doing the following and it is working fine: final _s.RestXmlProtocol protocol = _s.RestXmlProtocol(
client: _client,
service: 's3',
region: _region,
credentials: AwsClientCredentials(
accessKey: credentials.accessKey,
secretKey: credentials.secretKey,
sessionToken: credentials.sessionToken),
endpointUrl: _domain,
);
final $result = await protocol.send(
method: 'PUT',
requestUri: '/${Uri.encodeComponent(_bucketName)}/${Uri.encodeComponent(fileName)}',
headers: {'x-amz-security-token': credentials.sessionToken},
payload: body,
exceptionFnMap: _exceptionFns,
);
PutObjectOutput output = PutObjectOutput.fromXml($result.body, headers: $result.headers); Thanks. |
Hi @jcblancomartinez, I am not sure how to approach this problem, S3 seems to be a different beast with features e.g. presigned urls. @xvrh Do you have any thoughts on how to approach a problem like this? |
I think I have a way forward with this. typedef RequestSigner = void Function({
required Request rq,
required ServiceMetadata service,
required String region,
required AwsClientCredentials credentials,
}); E.g. Future<RestXmlResponse> send({
required String method,
required String requestUri,
required Map<String, AwsExceptionFn> exceptionFnMap,
bool signed = true,
Map<String, List<String>>? queryParams,
Map<String, String>? headers,
dynamic payload,
String? resultWrapper,
RequestSigner? requestSigner, // take signer as an argument
}) async {} Later, the signing could simply be: if (requestSigner != null) {
requestSigner(
rq: rq,
service: _endpoint.service,
region: _endpoint.signingRegion,
credentials: credentials,
);
} else {
signAws4HmacSha256(
rq: rq,
service: _endpoint.service,
region: _endpoint.signingRegion,
credentials: credentials,
);
} That way we only have to supply the |
Now when #334 is merged it is possible to pass a |
Hm.. Looking at the code, it seems that I've forgotten much more about this than I first thought... Do you know any library in other language that implements it and we could use as reference? |
I'm shopping around for implementations that are tested and correct, but they seem scarce. I found a JS implementation, although it has some problems as well. |
@Schwusch Is this of any use? https://github.com/xtyxtyx/minio-dart/blob/master/lib/src/minio_sign.dart I've used that library with s3 successfully before |
I found this as well |
@Schwusch @isoos ...
dependency_overrides:
# Needed to fix AWS S3 request signing because aws_s3_api is broken.
# See: https://github.com/agilord/aws_client/issues/238
# and https://github.com/intaekim-gea/aws_client/pull/1/files
shared_aws_api:
git:
url: https://github.com/intaekim-gea/aws_client.git
path: shared_aws_api FWIW, I use both SSM and S3 on my service. SSM worked with |
@Schwusch Thanks for releasing this patch! I've tested it with S3 and SSM on EC2 and can verify that it works. However, I'm currently having to use a dependency override to get 2.0.1 because aws_s3_api and aws_ssm_api are on 2.0.0 and still reference aws_shared_api 2.0.0: dependency_overrides:
# Needed to fix AWS S3 request signing because aws_s3_api 2.0.0 is broken.
# See: https://github.com/agilord/aws_client/issues/238
shared_aws_api: ^2.0.1 So it would be nice if the generated apis were updated when shared_aws_api is updated. Also, I contributed the IMDS provider for aws_credential_providers (#351) about a year ago, but I still have to use my own version because it relies on shared_aws_api 1.2.0. It would also be nice if this was upgraded to shared_aws_api 2.0.1, and kept in sync. |
I think a regular We can bump the dependencies in |
@Schwusch Good catch - I missed that. My |
My request are failing with the following
The text was updated successfully, but these errors were encountered: