New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Regional variation in getSignedUrl behaviour #4369
Comments
A quick check suggests that boto3 is not affected in the same way:
However, there is still some slight regional variation here, as the structure of the error responses is different. Digging further, and reviewing the structure of the URLs: London:
Ireland:
So boto3 shows some regional variation in the implementation, but this appears not to impact behaviour. |
Think I have tracked this down to here: https://github.com/aws/aws-sdk-js/blob/master/lib/services/s3.js#L40-L46, so for regions that support older signing versions, they will be used for presigned URLs. This, plus the fact that different signer versions:
have differing opinions about what should be "baked in" to the signed URL. I think this is very surprising behaviour. It is sort of hinted at in the docs here https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html#getSignedUrl-property. But eg https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingAWSSDK.html#specify-signature-version says
which appears to not be the case here. |
Hey @plumdog , Great work on investigating this and providing a detailed report. This will help when we are root causing this. From a quick look it seems like you are correct and that some regions are causing the presigner to default to a different signature version. I will investigate and let you know what we found! Thanks, |
Describe the bug
There seem to be two kinds of region, that return different styles of signed URLs that have different behaviour.
This difference is demonstrated by the structure of the URL returned by eg:
Some regions appear to be "strict" in some sense, and return URLs like (shown with newlines between params for clarity):
Some appear to be "permissive" and return URLs like:
In particular, the "strict" regions appear to allow a content type to be "baked in" to the signed URL, and throw an error if the upload doesn't set the same content type.
We found this change in behaviour because some application code that worked in a "permissive" region got deployed to a "strict" region and we started getting confusing signature errors.
My experimentation shows the two categories of region are:
Strict regions
Permissive regions
Expected Behavior
Same behaviour across regions. At least, that the default options in the SDK result in the same behaviour across regions.
Current Behavior
Differing behaviour across regions.
Reproduction Steps
(Newlines added to error XML for legibility, and anything secret removed.)
Possible Solution
Change the defaults, perhaps in https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html#constructor-property, such that default behaviour is consistent across regions. Failing that, document this behaviour.
Additional Information/Context
I have not experimented with whether this is unique to the JS v2 SDK.
My next investigation, when I have time will be:
SDK version used
2.1333.0
Environment details (OS name and version, etc.)
n/a
The text was updated successfully, but these errors were encountered: