x-amz-acl Headers not signed

I had an issue where all of my requests were coming back with this:

<Error>
  <Code>
    AccessDenied
  </Code>
  <Message>
    There were headers present in the request which were not signed
  </Message>
  <HeadersNotSigned>
    x-amz-acl
  </HeadersNotSigned>
  <RequestId>
    MyRequestId
  </RequestId>
  <HostId>
    BASE64EncodedHostId=
  </HostId>
</Error>

My presigner uses the official ruby aws SDK:

def presign_foo(name)
    signer = Aws::S3::Presigner.new
    signer.presigned_url(:put_object, bucket: Rails.application.config.s3_root, key: "something_private/#{name}", acl: 'public-read')
end

And it outputs this string: https://foo-dev.s3.amazonaws.com/something_private/my_filename?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=MyCredentials%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20170118T190154Z&X-Amz-Expires=900&X-Amz-SignedHeaders=host&x-amz-acl=public-read&X-Amz-Signature=MySignature

And here is my react component. getSignedPeopleTargeting calls a route that ends up returning the value from presign_foo.

<S3Uploader
    getSignedUrl={this.props.getSignedPeopleTargeting}
/>

Eventually I tracked this down to a line in the s3-uploader that adds the header: https://github.com/odysseyscience/react-s3-uploader/blob/7a26ebc3d0cbfbf3bfb9bec2d0cb28bf147e8b95/s3upload.js#L160

I believe that this header is not needed as I can control the acl in my presign function (tested by making it private). Because all the presigner examples set the acl, can this line be removed? Alternatively, can the if statement be changed to: typeof this.uploadRequestHeaders === 'undefined'?

Issue Analytics

State:
Created 7 years ago
Comments:7 (1 by maintainers)

Top GitHub Comments

44reactions

tmortoncommented, Mar 1, 2017

For fellow googlers, here’s a quick workaround. Pass the uploadRequestHeaders prop with {}, and you’ll get no headers attached to the request.

1reaction

speedy250commented, Apr 6, 2017

For Python devs using Boto3, there is a sample to generate presigned urls in the documentation, but note that the ClientMethod correlates to methods in the S3.Client library. You’ll want to use the put_object string, and include the ACL parameter in the Params object. Hope that saves someone a bunch of time.

Top Results From Across the Web

There were headers present in the request which were not ...

AccessDenied There were headers present in the request which were not signed x-amz-acl, x-amz-server-side-encryption, x-amz-copy-source.

Getting an Object with URL Signing - WSO2 Documentation

The Amazon S3 connector can be used to signed the URL using two kind of ... the following headers should be removed: xAmzAcl...

Using the Authorization Header (AWS Signature Version 4)

Using the HTTP Authorization header is the most common method of providing authentication information. Except for POST requests and requests that are signed...

AWS S3 callout fails with x-amz headers

Actually, any header with prefix 'x-amz-' causes signature mismatch. ... owner has full control so bucket-owner-full-control is not needed.

Working with S3 pre-signed URLs | Altostra

Request headers must exactly match both when creating and using the URLs. ... Building a solution with S3 pre-signed URLs is not without...