-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
serve s3: Allow Presigned Requests for Serving S3 #7616
Comments
If you want to drop an email to sales@rclone.com we can discuss! Thank you. |
Is there any status here as to when/if this new requirement will be implemented? |
nothing. What I ended up doing is rolling my own storage API which verified created pre-signed keys using redis. Of course this is a ton of work, but ended up working better for me in the end. |
just got the error in another gofakes3 api. |
This could probably be implemented fairly simply in our gofakes3 fork if someone wants to have a go. |
not interested anymore, but using minio code would be simple, look at the links above if anyone wants to give it a shot. I'm rooting for you! |
alist-org/gofakes3@5799d51 You can refer to this commit in the fork I think, but I'm not going to give PR as I've already changed the link of the repo name in mine |
The associated forum post URL from
https://forum.rclone.org
https://forum.rclone.org/t/presigned-keys-in-rclone-serve-s3/44449
What is your current rclone version (output from
rclone version
)?What problem are you are trying to solve?
Allowing Presigned Keys to be used when serving S3. Using the S3 API you can generate a pre-signed URL just fine, but when it comes to actually using that pre-signed url, it fails with 403 Not Authorized Errors, disguised as a 400 Bad Request (Rclone logs it as 403, but responds with 400 on the url itself).
How do you think rclone should be changed to solve that?
Implementing authentication verification using the presigned URL. When a user goes to this type of link, it should check authentication from the AWSAcessKeyID and the Signature to see if it matches the Access Key and Secret Key (I don't know how it is calculated or verified, but I don't think S3 keeps track of it manually, I think it is some kind of hashing or something). I hope it isn't stored, as I have multiple S3 serves running to the same data located around the world for faster downloads, so it shouldn't just be stored on the server the presigned key request was sent to.
Link Example (not real)
https://storage.example.app/bucket/file.mkv?AWSAccessKeyId=vHNhZ9FZK124XXXXXXXXXXXXXwme0UDfSQAJdSDXXXXX0lduUqsh&Signature=Wb6YUQEMXXXXXXXXY8%3D&Expires=1707179008
Documentation about Presigned Keys
How to use GitHub
Bounty
I am also willing to put up a bounty to get this done as fast as possible as I use it for my business. Let me know how that process is done, or if it is even possible at all. Thanks!
The text was updated successfully, but these errors were encountered: