Invalid Security Token when using Access/Secret key from environment

[mattzuba]

PR #1093 added a check for a null security token value before adding it to the options, but in the env function of the CredentialProvider, getenv(self::ENV_SESSION) is used for a session token, which returns false if it doesn't exist in the environment. This causes a false value for the security token to be added to the policy generated for S3 uploads which is not a valid value.

[imshashank]

@mattzuba Thanks for reporting this.
Can u please help us repro the error. Are you using temporary credentials, also what is the error that you see? It would be really helpful if you can share the code or the stacktrace of the error.

[mattzuba]

I have the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY set in my environment so that the SDK will pick those up and use them.

My code to generate the form fields is as follows:

$s3Client = new \Aws\S3\S3Client([
    'version' => 'latest',
    'region' => 'us-west-2',
]);

$formInputs = [
    'key' => 'uploads/${filename}',
    'success_action_status' => 201,
];

// Extra policy for this action
$extraPolicy = [
    ['bucket' => 'mybucket'],
    ['starts-with', '$key', 'uploads'],
    ['success_action_status' => '201'],
];

$postObject = new Aws\S3\PostObjectV4($s3Client, 'mybucket', $formInputs, $extraPolicy);

$formInputs = $postObject->getFormInputs();

header('Content-Type: application/json');
echo json_encode($formInputs);

This produces:

{
"key": "uploads/${filename}",
"success_action_status": 201,
"X-Amz-Security-Token": false,
"X-Amz-Credential": "AKIAJPPEHZKMTDMQW5TQ/20170308/us-west-2/s3/aws4_request",
"X-Amz-Algorithm": "AWS4-HMAC-SHA256",
"X-Amz-Date": "20170308T205114Z",
"Policy": "eyJleHBpcmF0aW9uIjoiMjAxNy0wMy0wOFQyMTo1MToxNFoiLCJjb25kaXRpb25zIjpbeyJidWNrZXQiOiJteWJ1Y2tldCJ9LFsic3RhcnRzLXdpdGgiLCIka2V5IiwidXBsb2FkcyJdLHsic3VjY2Vzc19hY3Rpb25fc3RhdHVzIjoiMjAxIn0seyJ4LWFtei1zZWN1cml0eS10b2tlbiI6ZmFsc2V9LHsiWC1BbXotRGF0ZSI6IjIwMTcwMzA4VDIwNTExNFoifSx7IlgtQW16LUNyZWRlbnRpYWwiOiJBS0lBSlBQRUhaS01URE1RVzVUUVwvMjAxNzAzMDhcL3VzLXdlc3QtMlwvczNcL2F3czRfcmVxdWVzdCJ9LHsiWC1BbXotQWxnb3JpdGhtIjoiQVdTNC1ITUFDLVNIQTI1NiJ9XX0=",
"X-Amz-Signature": "cd870f0ce18db47b882ae1695b0ac9052bd001d87002abaa0bb70b074988864d"
}

Base64 Decoding the Policy above yields:

{
  "expiration": "2017-03-08T21:51:14Z",
  "conditions": [
    {
      "bucket": "mybucket"
    },
    [
      "starts-with",
      "$key",
      "uploads"
    ],
    {
      "success_action_status": "201"
    },
    {
      "x-amz-security-token": false
    },
    {
      "X-Amz-Date": "20170308T205114Z"
    },
    {
      "X-Amz-Credential": "AKIAJPPEHZKMTDMQW5TQ/20170308/us-west-2/s3/aws4_request"
    },
    {
      "X-Amz-Algorithm": "AWS4-HMAC-SHA256"
    }
  ]
}

(Note the x-amz-security-token = false, above)

When sending a post with these fields and my file over to AWS S3, this is the XML error returned:

<?xml version="1.0" encoding="UTF-8"?>
<Error>
   <Code>InvalidToken</Code>
   <Message>The provided token is malformed or otherwise invalid.</Message>
   <Token-0>false</Token-0>
   <RequestId>AABD1381EFED69CE</RequestId>
   <HostId>pVJxZVIFPvOdVW8hvVxJK14J6YLDCPcopyu7PZIQWTdO/WHjfGvYXoJlrDsNrTY0f+8RHGP52FQ=</HostId>
</Error>

The offending code is either https://github.com/aws/aws-sdk-php/blob/master/src/S3/PostObjectV4.php#L59 (the null check should be converted to a !empty() check), or https://github.com/aws/aws-sdk-php/blob/master/src/Credentials/CredentialProvider.php#L222 (getenv(self::ENV_SESSION) should be changed to getenv(self::ENV_SESSION) ?: null)

[mattzuba]

@imshashank - can you help explain the usage-question tag? I just glanced over the docs again and unless I'm misunderstanding, a token is only required when using temporary credentials, which I'm not using. I'm using a permanent access/secret key. Fixing either or both items that I mentioned at the bottom of my last post correct the issue for me.

[jeskew]

You're correct, @mattzuba; I'll update the tag.

[imshashank]

@mattzuba Sorry for the delayed response, I will add a PR to fix the bug soon.

[imshashank]

@mattzuba Sorry for the delay. We have merged a fix for the bug. Thanks a lot for helping us figure out the bug and suggesting a fix.