v2-alpha: support signature v4 regions

[john-aws]

The v2-alpha does not support signature v4-only regions, such as Mumbai (ap-south-1). Requests fail with InvalidRequest and "The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256."

[john-aws]

@Pongchaiwat Please tell me if this update works for you. It requires you to specify the region in which the S3 bucket resides, and it enables v4 signatures. If this does not work for you then please tell me which AWS region your S3 bucket is in.

[Pongchaiwat]

I use us-east-2. It is not working for me.

[john-aws]

@Pongchaiwat This is working for me with private buckets in us-east-2 (and other regions).

Here is how I have this setup, assuming that the JS Explorer files are hosted in an S3 bucket named explorerbucket in us-east-1 (N. Virginia) and you wish to explore the contents of an S3 bucket named ohiobucket in us-east-2 (Ohio):

• upload index.html, explorer.js, explorer.css to s3://explorerbucket
• apply S3 bucket policy to explorerbucket allowing public read (add IP whitelisting if needed)
• apply S3 bucket policy to ohiobucket per instructions
• apply CORS configuration to ohiobucket per instructions
• using web browser, visit https://s3.amazonaws.com/explorerbucket/index.html
• select Ohio region, enter bucket name (ohiobucket), select Private Bucket, provide credentials

If you are unable to get this to work then please provide the following:

• the URL of the web page where you are hosting S3 Explorer
• the target S3 bucket's policy
• the target S3 bucket's CORS configuration
• are the Explorer files hosted in the same bucket that you are trying to explore?

If needed, please obfuscate your bucket name for privacy reasons.

[Pongchaiwat]

Do you add "Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxx:user/bucketname"
}

[john-aws]

@Pongchaiwat A bucket name cannot be a Principal. Principal refers to the entity (IAM user or AWS service) that is requesting access to the resource (the S3 bucket in this case); it does not refer to the resource itself.

The place that you need to specify Principal is in the S3 bucket policy of the bucket that hosts the index.html, explorer.css, and explorer.js files. You would configure "Principal": "*" (with actions s3:List* and s3:Get*) in order to let anyone read these files (and hence launch the S3 Explorer web page).

You don't need an S3 bucket policy on the target bucket because the web page user is supplying AWS credentials and those are sufficient, assuming you have configured the permissions correctly, to provide access to the bucket.

I will review the v2-alpha README shortly and try to make things clearer.

[Pongchaiwat]

My bucket policy.

When I go to bucket and click some file

I need to private bucket.

[Pongchaiwat]

I created IAM user

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1530300536560",
            "Action": [
                "s3:GetObject",
                "s3:ListObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::test-company1",
                "arn:aws:s3:::test-company1/*"
            ]
        }
    ]
}

Is it correct?

[john-aws]

@Pongchaiwat I think you're saying the following:

• you have an S3 bucket named test-company1 in US East 2 (Ohio) and this is where you are hosting the JS S3 Explorer files (index.html, explorer.js, and explorer.css)
• you've configured an S3 bucket policy on that bucket to allow everyone to list, get, put, and delete
• when you use the AWS S3 console and click on the link for one of the files in that bucket, you see the InvalidRequest error

Is that correct?

First thing to note is that bucket almost certainly should not allow everyone to put and delete, so you should probably remove those permissions. Allow list and get only.

The next thing is that you seem to be hitting the InvalidRequest error while using the regular AWS S3 Console to download a file from your bucket. Which file's S3 link are you clicking and what is the exact link that the browser is failing to open?

[john-aws]

@Pongchaiwat I've updated the README in 7a20e38 to try to clarify how the hosting bucket is configured vs. how the explored buckets are configured.