Signature mismatch exception when requesting pre-signed URLs #2478
Description
Describe the bug
We're using Amazon.S3.GetPreSignedUrl to produce a URL that we provide our client which then opens directly in order to retrieve an object.
It seems that the update for AWSSDK.Core from 3.7.13.1 to 3.7.100.7 has broken the pre-signed URLs. We get the following response in the browser:
<Error>
<Code>SignatureDoesNotMatch</Code>
<Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message>
...
</Error>
Reverting back to the previous version has resolved the issue for now. As noted below, this issue was raised 12 days ago which looks possibly related. It is said to have been addressed prior, so perhaps it's just a coincidence.
Expected Behavior
The request to the pre-signed URL would provide the S3 object.
Current Behavior
The browser received an erroneous response (reduced for readability):
<Error>
<Code>SignatureDoesNotMatch</Code>
<Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message>
<AWSAccessKeyId>-</AWSAccessKeyId>
<StringToSign>AWS4-HMAC-SHA256 20221108T220645Z 20221108/ap-southeast-2/s3/aws4_request 0a284d8c9d9390aaa05683609fd502a1679c329a2218def8349ca936f34754a7</StringToSign>
<SignatureProvided>...</SignatureProvided>
<StringToSignBytes>....</StringToSignBytes>
<CanonicalRequest>GET urlEncodedKey X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=...&X-Amz-Expires=86400&X-Amz-Security-Token=...&X-Amz-SignedHeaders=host host:ep-temp-20211124023924072700000001.s3.ap-southeast-2.amazonaws.com host UNSIGNED-PAYLOAD</CanonicalRequest>
<CanonicalRequestBytes>...</CanonicalRequestBytes>
<RequestId>...</RequestId>
<HostId>...</HostId>
</Error>
Reproduction Steps
The code below produces the bad request URL. If you change the key to remove the spaces, it seems to work.
AWSSDK.Core version: 3.7.100.7
AWSSDK.S3 version: 3.7.9.47
var bucket = "TheBucket";
var key = "The Object Name"
return _amazonS3.GetPreSignedURL(new GetPreSignedUrlRequest
{
BucketName = bucket,
Key = key
});
Possible Solution
Maybe the encoding has changed here as well.
Additional Information/Context
This issue was posted 12 days ago and looked as though it could be relevant, but it also looks like it were resolved in the previous patch version (3.7.100.6) according to a comment.
AWS .NET SDK and/or Package version used
AWSSDK.Core version: 3.7.100.7
AWSSDK.S3 version: 3.7.9.47
Targeted .NET Platform
.NET 6
Operating System and version
Windows 11