Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

s3.generate_url appends x-amz-security-token to query string even when query_auth=False #1477

Open
nakedible opened this issue May 5, 2013 · 8 comments
Open

s3.generate_url appends x-amz-security-token to query string even when query_auth=False #1477

nakedible opened this issue May 5, 2013 · 8 comments
Labels
accepted bug Needs Implementation s3

Comments

@nakedible
Copy link

It seems s3.generate_url will produce a url with a query parameter x-amz-security-token if the current auth provider has a security token even when passing query_auth=False. This url is totally non-working as it has the x-amz-security-token parameter, but none of the other authentication parameters.
@teeberg
Copy link

teeberg commented Mar 27, 2014

I've had the same issue with public static links, and helped myself by subclassing the S3BotoStorage like this:

import urllib
import urlparse

class PublicS3BotoStorage(S3BotoStorage):
    def __init__(self, *a, **k):
        kwargs = dict(location='public', querystring_auth=False)
        # merge in any arguments that were passed
        kwargs.update(k)
        super(PublicS3BotoStorage, self).__init__(*a, **kwargs)

    def url(self, name):
        orig = super(PublicS3BotoStorage, self).url(name)
        scheme, netloc, path, params, query, fragment = urlparse.urlparse(orig)
        params = urlparse.parse_qs(query)
        if 'x-amz-security-token' in params:
            del params['x-amz-security-token']
        query = urllib.urlencode(params)
        return urlparse.urlunparse((scheme, netloc, path, params, query, fragment))

I can't tell in which cases exactly the security token should be stripped, but this suited my needs. Adapt it to your usecase.

@forbode
Copy link

forbode commented May 13, 2014

This issue still exists. Oddly enough the querystring_auth settings is respected locally, but when I deploy to Elastic Beanstalk it breaks. Other parameters seem to work (AWS_S3_URL_PROTOCOL,AWS_S3_CALLING_FORMAT). I will try teeberg's suggestion.

@forbode
Copy link

forbode commented May 13, 2014

Teeberg's solution worked for me. It works both in locally and on S3.

@adepue
Copy link

adepue commented Jul 24, 2014

I ran into this as well.. worked around it by doing:

conn = S3Connection()
conn.provider.security_token = ""

codeinthehole added a commit to tangentlabs/tangent-django-boilerplate that referenced this issue Aug 27, 2014
@codeinthehole
Compressor works (just about)
2608c59 
It's a royal pain to get compressor working. A bug* in Boto means that
static URLs contain security tokens which mean the hash changes every
time - hence offline compression doesn't work.

We work around with by using {{ STATIC_URL }} instead of {% static %}

* boto/boto#1477
This was referenced Mar 17, 2015
Merged
Closed
nigelzor referenced this issue in pulseenergy/mkwheelhouse Jul 7, 2015
[s3] disabling security token
767c99d
1e0ng added a commit to 1e0ng/boto that referenced this issue Nov 24, 2015
@1e0ng
Fix Issue boto#1477.
49b7a6e
jimabramson pushed a commit to openedx/credentials that referenced this issue Mar 1, 2016
Workaround for boto/boto#1477
2431c99
jimabramson pushed a commit to openedx/credentials that referenced this issue Mar 1, 2016
Workaround for boto/boto#1477
b719f84
jimabramson pushed a commit to openedx/credentials that referenced this issue Mar 1, 2016
Merge pull request #73 from edx/jsa/fix-s3-querystring
d5c2873 
Workaround for boto/boto#1477
@zubair-arbi zubair-arbi mentioned this issue Mar 4, 2016
Merged
zubair-arbi added a commit to openedx/credentials that referenced this issue Mar 4, 2016
@zubair-arbi
Revert "Workaround for boto/boto#1477"
8a7347d 
This reverts commit b719f84.

Conflicts:
	requirements/base.txt
zubair-arbi added a commit to openedx/credentials that referenced this issue Mar 8, 2016
@zubair-arbi
Revert "Revert "Workaround for boto/boto#1477""
3d96098 
This reverts commit 8a7347d.
@LewisMcMahon
Copy link

This is still an issue if your using iam roles

lmorchard added a commit to lmorchard/testpilot that referenced this issue May 16, 2016
@lmorchard
Custom S3 domain setting to workaround storages/boto URL construction…
3fe04eb 
… bug

New AWS_S3_CUSTOM_DOMAIN env var. When set, it skips using the boto URL
construction code, which erroneously adds a `x-amz-security-token`

See also:
* boto/boto#1477
* http://stackoverflow.com/a/28749849
@lmorchard lmorchard mentioned this issue May 16, 2016
Merged
@gholms
Copy link
Contributor

gholms commented Jun 23, 2016

This should have been fixed in commit 43217f9, included in boto 2.40.0. Does it work for you now?

@joshma
Copy link

joshma commented Jun 30, 2016

@gholms if query_auth=False, won't 43217f9 not affect this particular codepath? It looks like it's still hitting

boto/boto/s3/connection.py

Line 422 in 43217f9

extra_qp.append("%s=%s" % (k, urllib.parse.quote(v)))
- the headers are added to the query part still.

@joshma joshma mentioned this issue Jun 30, 2016
Closed
@etianen etianen mentioned this issue Aug 29, 2016
Merged
@chosak chosak mentioned this issue Sep 20, 2016
Merged
9 tasks
@joharohl joharohl mentioned this issue Feb 3, 2017
Closed
@kylegibson
Copy link

Still an issue in boto 2.48.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
accepted bug Needs Implementation s3
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@joshma @gholms @danielgtaylor @teeberg @kylegibson @nakedible @adepue @LewisMcMahon @forbode