Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pre-signed S3 putObject URLs don't allow tags #4620

Closed
RingOfStorms opened this issue Nov 14, 2019 · 3 comments
Closed

pre-signed S3 putObject URLs don't allow tags #4620

RingOfStorms opened this issue Nov 14, 2019 · 3 comments
Assignees
@aBurmeseDev
Labels
bug This issue is a bug. closed-for-staleness p3 This is a minor priority issue response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. service-api This issue is due to a problem in a service API, not the SDK implementation.

Comments

@RingOfStorms
Copy link

Is your feature request related to a problem? Please describe.
Essentially reopening this issue because it is not solved: #1313

Summary:
It is impossible to enforce Tags and their value with just a signed url. The only thing that you can do is allow a client to provide headers. This is not usable when you do not have control over the client and still want tags to be set.

Describe the solution you'd like

I'd like the S3.getSignedUrl method to allow an additional param: TagSet which matches other TagSet params throughout the API. This would result in a signed url that can have data put to it and the resulting S3 object will have the tags defined in the getSignedUrl params.

s3.getSignedUrl('putObject', {
    Bucket: bucket,
    Key: key,
    Expires: 60, // seconds
    Metadata: {
      testMetaKey: 'test meta value'
    },
    TagSet: [
      { Key: 'testTagKey1', Value: 'test1' }
    ]
  });

// PUT into signed url

const { TagSet } = s3.getObjectTagging({ Key: key, Bucket: bucket });

assert(TagSet, [{ Key: 'testTagKey1', Value: 'test1' }]) // should be true
@ajredniwja ajredniwja transferred this issue from aws/aws-sdk-js Nov 6, 2020
@ajredniwja ajredniwja added feature-request A feature should be added or improved. service-api This issue is due to a problem in a service API, not the SDK implementation. labels Nov 7, 2020
@stobrien89 stobrien89 removed the service-api This issue is due to a problem in a service API, not the SDK implementation. label Jul 26, 2021
@tim-finnigan tim-finnigan added the service-api This issue is due to a problem in a service API, not the SDK implementation. label Jun 9, 2022
@RanVaknin RanVaknin assigned ashishdhingra and unassigned ajredniwja Mar 1, 2024
@ashishdhingra
Copy link

ashishdhingra commented Mar 27, 2024
edited

Unsure if the AWS JavaScript SDK v2 (version 2.1586.0) is producing the correct PreSigned Url when executing the below code:

const AWS = require("aws-sdk");

const region = "us-east-2";
const bucketName = "testbucket-temp";
const key = "testingJSSDK.txt";
const signedUrlExpireSeconds = 60 * 5;

AWS.config.update(region);

AWS.config.getCredentials(function (err) {
    if (err) console.log(err.stack);
    // credentials not loaded
    else {
        const s3 = new AWS.S3();
        const presignedUrl = s3.getSignedUrl("putObject", {
            Bucket: bucketName,
            Key: key,
            Expires: signedUrlExpireSeconds,
            Tagging: 'sem=somethingSemantic'
        });

        console.log("Presigned URL: " + presignedUrl);
    }
});

It generates presigned URL like below:

https://testbucket-issue1880.s3.amazonaws.com/testingJSSDK.txt?AWSAccessKeyId=ASIASA6NRDFT3VRPG6JS&Expires=1711562720&Signature=j11RZvXFXGjDyyy0Jd5rBZS%2BPTg%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEKr%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIE01KXmzRNlZs5TAAkh9ctqXvkMdwi1N8%2BQuUeu%2F3Se7AiBRur5%2BAj%2BUalX9PntnV%2Bv89W01hUamJXgn88x%2BzAhjBiqmAgjD%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAIaDDEzOTQ4MDYwMjk4MyIM6RChlrX1Pm3CD1O0KvoBK%2Fi4aTEMteujYE5XRKI2SnOx%2F6ZRN%2FIFgFcxNKEY5HnbRe%2BF1Z%2F9ht9rJfyL1AOr2NxVO9q70v2i0Z5K2eXkx499upSEQyfZ4ZSq50BH9lhzulSPNpEcAwazkZgMl4BOZMf3u0G%2BrKkZZoVjbWvJdkKcgmmQK87sihv1UPCs1JIQ1xF1XWllGbZXygNzG0%2FN83P9UbBoPeSAefos2tqwiEnoykMQ%2FImI%2B4fpSgPgXhb05%2F9a2RI7AOMCyUH3LOXFq2JX5dL2W2E0bTqfJVhkh7R14nDd4bvYJXH5BcMbXH1MRXPPaaK3efRUL2j6ac6npEpXck%2Fdxgd8VzCrvZGwBjqeASoJlBD7bwm%2FikDwEjRIIcqown5R48KuMKGxmF4cHMMkFU2VLlZaf4GRzN3F7h%2BLfYLtTBHDUrBkUzD16k0haDBFFmHItxhXzx2Qe753lUjloCnZF%2Fn3KcSDbnNDJIOEK8T8cOo51%2FtOqMQqqV7KM01ci91kc8tFWTnIMcr3AJZfHXOdD8JDT8LGUz2hipHFEQEc2nzFYVHbxeKoOZ60&x-amz-tagging=sem%3DsomethingSemantic

It is missing X-Amz-SignedHeaders query string parameter and instead includes x-amz-tagging query string parameter.

Using it to upload file is returning 400 Bad Request error.

Transferring it to aws\aws-sdk-js repo for review.

Also refer aws/aws-sdk-net#1696 (comment) for guidance provided for using tags with presigned URL.

@ashishdhingra ashishdhingra transferred this issue from aws/aws-sdk Mar 27, 2024
@ashishdhingra ashishdhingra added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. and removed feature-request A feature should be added or improved. service-api This issue is due to a problem in a service API, not the SDK implementation. labels Mar 27, 2024
@ashishdhingra ashishdhingra removed their assignment Mar 27, 2024
@aBurmeseDev aBurmeseDev self-assigned this Apr 23, 2024
@aBurmeseDev aBurmeseDev added investigating Issue has been looked at and needs deep dive work by OSDS. and removed needs-triage This issue or PR still needs to be triaged. labels Apr 23, 2024
@aBurmeseDev
Copy link
Member

Thanks for reaching out and sorry for the long wait.

During my investigation, I found out that there might be ongoing bug on service S3 side that affects across-SDKs but the expected behavior here is to include x-amz-tagging header when sending your request. It is also noted in the documentation as

.....Tagging must be provided as headers when sending a request. If you are using pre-signed URLs to upload from a browser and need to use these fields, see createPresignedPost().

Here are some resources that I found indicates the known issue on the service side:

Let us know if issue persists with x-amz-tagging as header.

@aBurmeseDev aBurmeseDev added service-api This issue is due to a problem in a service API, not the SDK implementation. response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. p3 This is a minor priority issue and removed investigating Issue has been looked at and needs deep dive work by OSDS. labels Apr 24, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented May 5, 2024

This issue has not received a response in 1 week. If you still think there is a problem, please leave a comment to avoid the issue from automatically closing.

@github-actions github-actions bot added closing-soon This issue will automatically close in 4 days unless further comments are made. closed-for-staleness and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels May 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aBurmeseDev aBurmeseDev

Labels
bug This issue is a bug. closed-for-staleness p3 This is a minor priority issue response-requested Waiting on additional info and feedback. Will move to \"closing-soon\" in 7 days. service-api This issue is due to a problem in a service API, not the SDK implementation.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@RingOfStorms @ajredniwja @aBurmeseDev @stobrien89 @ashishdhingra @tim-finnigan