-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
generate_presigned_url results in SignatureDoesNotMatch #2989
Comments
Hi @viktormill, thanks for reaching out. By default, the region is not included in the presigned URL as noted here: #1982 (comment). But some users have provided workarounds in that issue by setting In regard to the error your seeing, many people have suggested that setting the Config like this will solve the problem: Can you let us know if that worked? If you’re still seeing an issue, please send us the full debug logs (with sensitive information redacted) by adding |
@tim-finnigan I think this is a DNS bug on AWS on bucket creation,
Or
Though If I wait for a few hours up to one day, the above fixes aren't needed. I also read that aws are planning to deprecate s3 path based urls: https://aws.amazon.com/blogs/aws/amazon-s3-path-deprecation-plan-the-rest-of-the-story/ So I assume that virtual based would be recommended? |
Hi @viktormill, thanks for your response. I was able to reproduce the
Thanks again for raising visibility to this. I will discuss with the team and see if we can better document this scenario. Please let us know if you have any more questions or feedback. |
|
…JQUAY-3082) Boto3 behaves unexpectedly when the resource client is not set to use the correct region. Boto3 can't seem to correctly set the X-Amz-Credential header when generating presigned urls if the region name is not explicitly set, and will always fall back to us-east-1. To reproduce this: - Create a bucket in a different region from us-east-1 (e.g eu-north-1) - Create a boto3 client/resource without specifying the region - Generate a presigned url This seems to be a DNS issue with AWS that only happens shortly after a bucket has been created, and resolves itself eventually. To workaround this, one can explicitly specify the bucket endpoint. Ref: - boto/boto3#2989 - https://stackoverflow.com/questions/56517156/s3-presigned-url-works-90-minutes-after-bucket-creation
…JQUAY-3082) Boto3 behaves unexpectedly when the resource client is not set to use the correct region. Boto3 can't seem to correctly set the X-Amz-Credential header when generating presigned urls if the region name is not explicitly set, and will always fall back to us-east-1. To reproduce this: - Create a bucket in a different region from us-east-1 (e.g eu-north-1) - Create a boto3 client/resource without specifying the region - Generate a presigned url This seems to be a DNS issue with AWS that only happens shortly after a bucket has been created, and resolves itself eventually. To workaround this, one can explicitly specify the bucket endpoint. Ref: - boto/boto3#2989 - https://stackoverflow.com/questions/56517156/s3-presigned-url-works-90-minutes-after-bucket-creation
…JQUAY-3082) Boto3 behaves unexpectedly when the resource client is not set to use the correct region. Boto3 can't seem to correctly set the X-Amz-Credential header when generating presigned urls if the region name is not explicitly set, and will always fall back to us-east-1. To reproduce this: - Create a bucket in a different region from us-east-1 (e.g eu-north-1) - Create a boto3 client/resource without specifying the region - Generate a presigned url This seems to be a DNS issue with AWS that only happens shortly after a bucket has been created, and resolves itself eventually. Ref: - boto/boto3#2989 - https://stackoverflow.com/questions/56517156/s3-presigned-url-works-90-minutes-after-bucket-creation To workaround this, one can explicitly specify the bucket endpoint, either explicitly via endpoint_url, or by setting s3_region, which will be used to generate the bucket's virtual address.
…JQUAY-3082) Boto3 behaves unexpectedly when the resource client is not set to use the correct region. Boto3 can't seem to correctly set the X-Amz-Credential header when generating presigned urls if the region name is not explicitly set, and will always fall back to us-east-1. To reproduce this: - Create a bucket in a different region from us-east-1 (e.g eu-north-1) - Create a boto3 client/resource without specifying the region - Generate a presigned url This seems to be a DNS issue with AWS that only happens shortly after a bucket has been created, and resolves itself eventually. Ref: - boto/boto3#2989 - https://stackoverflow.com/questions/56517156/s3-presigned-url-works-90-minutes-after-bucket-creation To workaround this, one can specify the bucket endpoint, either explicitly via endpoint_url, or by setting s3_region, which will be used to generate the bucket's virtual address.
…JQUAY-3082) Boto3 behaves unexpectedly when the resource client is not set to use the correct region. Boto3 can't seem to correctly set the X-Amz-Credential header when generating presigned urls if the region name is not explicitly set, and will always fall back to us-east-1. To reproduce this: - Create a bucket in a different region from us-east-1 (e.g eu-north-1) - Create a boto3 client/resource without specifying the region - Generate a presigned url This seems to be a DNS issue with AWS that only happens shortly after a bucket has been created, and resolves itself eventually. Ref: - boto/boto3#2989 - https://stackoverflow.com/questions/56517156/s3-presigned-url-works-90-minutes-after-bucket-creation To workaround this, one can specify the bucket endpoint, either explicitly via endpoint_url, or by setting s3_region, which will be used to generate the bucket's virtual address.
…JQUAY-3082) Boto3 behaves unexpectedly when the resource client is not set to use the correct region. Boto3 can't seem to correctly set the X-Amz-Credential header when generating presigned urls if the region name is not explicitly set, and will always fall back to us-east-1. To reproduce this: - Create a bucket in a different region from us-east-1 (e.g eu-north-1) - Create a boto3 client/resource without specifying the region - Generate a presigned url This seems to be a DNS issue with AWS that only happens shortly after a bucket has been created, and resolves itself eventually. Ref: - boto/boto3#2989 - https://stackoverflow.com/questions/56517156/s3-presigned-url-works-90-minutes-after-bucket-creation To workaround this, one can specify the bucket endpoint, either explicitly via endpoint_url, or by setting s3_region, which will be used to generate the bucket's virtual address.
…JQUAY-3082) Boto3 behaves unexpectedly when the resource client is not set to use the correct region. Boto3 can't seem to correctly set the X-Amz-Credential header when generating presigned urls if the region name is not explicitly set, and will always fall back to us-east-1. To reproduce this: - Create a bucket in a different region from us-east-1 (e.g eu-north-1) - Create a boto3 client/resource without specifying the region - Generate a presigned url This seems to be a DNS issue with AWS that only happens shortly after a bucket has been created, and resolves itself eventually. Ref: - boto/boto3#2989 - https://stackoverflow.com/questions/56517156/s3-presigned-url-works-90-minutes-after-bucket-creation To workaround this, one can specify the bucket endpoint, either explicitly via endpoint_url, or by setting s3_region, which will be used to generate the bucket's virtual address.
…JQUAY-3082) (#1081) Boto3 behaves unexpectedly when the resource client is not set to use the correct region. Boto3 can't seem to correctly set the X-Amz-Credential header when generating presigned urls if the region name is not explicitly set, and will always fall back to us-east-1. To reproduce this: - Create a bucket in a different region from us-east-1 (e.g eu-north-1) - Create a boto3 client/resource without specifying the region - Generate a presigned url This seems to be a DNS issue with AWS that only happens shortly after a bucket has been created, and resolves itself eventually. Ref: - boto/boto3#2989 - https://stackoverflow.com/questions/56517156/s3-presigned-url-works-90-minutes-after-bucket-creation To workaround this, one can specify the bucket endpoint, either explicitly via endpoint_url, or by setting s3_region, which will be used to generate the bucket's virtual address.
…JQUAY-3082) Boto3 behaves unexpectedly when the resource client is not set to use the correct region. Boto3 can't seem to correctly set the X-Amz-Credential header when generating presigned urls if the region name is not explicitly set, and will always fall back to us-east-1. To reproduce this: - Create a bucket in a different region from us-east-1 (e.g eu-north-1) - Create a boto3 client/resource without specifying the region - Generate a presigned url This seems to be a DNS issue with AWS that only happens shortly after a bucket has been created, and resolves itself eventually. Ref: - boto/boto3#2989 - https://stackoverflow.com/questions/56517156/s3-presigned-url-works-90-minutes-after-bucket-creation To workaround this, one can specify the bucket endpoint, either explicitly via endpoint_url, or by setting s3_region, which will be used to generate the bucket's virtual address.
…JQUAY-3082) Boto3 behaves unexpectedly when the resource client is not set to use the correct region. Boto3 can't seem to correctly set the X-Amz-Credential header when generating presigned urls if the region name is not explicitly set, and will always fall back to us-east-1. To reproduce this: - Create a bucket in a different region from us-east-1 (e.g eu-north-1) - Create a boto3 client/resource without specifying the region - Generate a presigned url This seems to be a DNS issue with AWS that only happens shortly after a bucket has been created, and resolves itself eventually. Ref: - boto/boto3#2989 - https://stackoverflow.com/questions/56517156/s3-presigned-url-works-90-minutes-after-bucket-creation To workaround this, one can specify the bucket endpoint, either explicitly via endpoint_url, or by setting s3_region, which will be used to generate the bucket's virtual address.
…JQUAY-3082) (#1096) Boto3 behaves unexpectedly when the resource client is not set to use the correct region. Boto3 can't seem to correctly set the X-Amz-Credential header when generating presigned urls if the region name is not explicitly set, and will always fall back to us-east-1. To reproduce this: - Create a bucket in a different region from us-east-1 (e.g eu-north-1) - Create a boto3 client/resource without specifying the region - Generate a presigned url This seems to be a DNS issue with AWS that only happens shortly after a bucket has been created, and resolves itself eventually. Ref: - boto/boto3#2989 - https://stackoverflow.com/questions/56517156/s3-presigned-url-works-90-minutes-after-bucket-creation To workaround this, one can specify the bucket endpoint, either explicitly via endpoint_url, or by setting s3_region, which will be used to generate the bucket's virtual address. Co-authored-by: Kenny Lee Sin Cheong <kenny.lee28@gmail.com>
Due to the boto3 issues (boto/boto3#2989) setting the X-Amz-Credential header, it is recommended to set either the `s3_region` or the `endpoint_url` when configuring an S3Storage provider. This commit adds a the `s3_region` field to all documented S3Storage examples.
Due to the boto3 issues (boto/boto3#2989) setting the X-Amz-Credential header, it is recommended to set either the `s3_region` or the `endpoint_url` when configuring an S3Storage provider. This commit adds the `s3_region` field to all documented S3Storage examples in the documentation.
Due to the boto3 issues (boto/boto3#2989) setting the X-Amz-Credential header, it is recommended to set either the `s3_region` or the `endpoint_url` field when configuring an S3Storage provider. This commit adds the `s3_region` field to all documented S3Storage examples in the documentation.
This is still happening in 2024. I have created this following script:
|
Describe the bug
Calling generate_presigned_url in AWS region 'eu-north-1' results in error 'SignatureDoesNotMatch. The request signature we calculated does not match the signature you provided. Check your key and signing method.'
If calling generate_presigned_url in AWS region 'eu-west-1' this works fine.
The presigned url looks like this
https://my-bucket.s3.amazonaws.com/test.txt?X-Amz-Algorithm...
Steps to reproduce
Using Boto3 version 1.17.78 and calling generate_presigned_url
Expected behavior
generate_presigned_url to include region in the presigned url e.g.
https://my-bucket.s3.eu-north-1.amazonaws.com/test.txt?X-Amz-Algorithm...
Debug logs
'SignatureDoesNotMatch. The request signature we calculated does not match the signature you provided. Check your key and signing method.'
The text was updated successfully, but these errors were encountered: