Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

S3 client is created with the wrong signature version #3067

Open
jg75 opened this issue Nov 17, 2023 · 1 comment
Open

S3 client is created with the wrong signature version #3067

jg75 opened this issue Nov 17, 2023 · 1 comment
Labels
bug This issue is a confirmed bug. documentation This is a problem with documentation. p2 This is a standard priority issue s3

Comments

@jg75
Copy link

jg75 commented Nov 17, 2023

Describe the bug

S3 client is created with an old signature version that technically works but causes unexpected behavior in S3 particularly in the expiration.

Expected Behavior

S3 client should be created with the s3 signature version 4, s3v4

Current Behavior

S3 client is created with an old signature version that technically works but causes unexpected behavior in S3 particularly in the expiration.

Reproduction Steps

s3 = boto3.resource('s3')
params = { 'Bucket': 'my-bucket', 'Key': 'my/key/prefix' }
client.generate_presigned_url('get_object', Params=params, ExpiresIn=604800)

The resulting URL will have an Expires parameter that has the appearance of correctness, but weird behavior happens in S3 and it has some really unexpected expiration behavior. Attempting to specify 7 days got me 6 or 7 hours.
Expires=1700824144 (looks like 7 days from now)

If you specify the signature_version s3v4 the URL is completely different and looks more appropriate.
X-Amz-Algorithm=AWS4-HMAC-SHA256
X-Amz-Expires=604800

Possible Solution

create the client withs3v4 signature version by default for later versions.

Additional Information/Context

No response

SDK version used

botocore==1.31.85

Environment details (OS name and version, etc.)

Mac OS 13.4.1
@jg75 jg75 added bug This issue is a confirmed bug. needs-triage This issue or PR still needs to be triaged. labels Nov 17, 2023
@tim-finnigan tim-finnigan self-assigned this Nov 28, 2023
@tim-finnigan
Copy link
Contributor

Hi @jg75 thanks for reaching out. Signature version 2 is the default still for backwards compatibility unless the region explicitly doesn't support signature version 2. Per the IAM documentation:

At this time, AWS Regions created before January 30, 2014 will continue to support the previous protocol, Signature Version 2. Any new Regions after January 30, 2014 will support only Signature Version 4 and therefore all requests to those Regions must be made with Signature Version 4. For more information about AWS Signature Version 2, see Signing and Authenticating REST Requests in the Amazon Simple Storage Service User Guide.

I think the Boto3 documentation here for signature_version should clarify this behavior.

@tim-finnigan tim-finnigan removed their assignment Nov 28, 2023
@tim-finnigan tim-finnigan added documentation This is a problem with documentation. s3 p2 This is a standard priority issue and removed needs-triage This issue or PR still needs to be triaged. labels Nov 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a confirmed bug. documentation This is a problem with documentation. p2 This is a standard priority issue s3
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jg75 @tim-finnigan