I have an s3 bucket that users can access with a presigned url.
Due to some changes some users who are trying to access particular images will not be able to as their presigned url is invalid. I would like to respond to those requests with a particular image, essentially letting them know to update their application. Is their anyway i can achieve this? I cannot update their client directly so i need the change to be on the s3 or perhaps use cloudfront or something.
No, this is not possible.
If the pre-signed URL is invalid, they will receive a standard Access Denied message.
Related
It may look a little strange that I want to upload file to S3 bucket through cloudfront, and access it with CloudFront.
And AWS declared that CloudFront support this putObject action according to
https://aws.amazon.com/blogs/aws/amazon-cloudfront-content-uploads-post-put-other-methods/
Now we have configured the CloudFront settings(Origin/Behavior) and S3 policy to complete this.
Only one block issue found that:
The uploaded file via CloudFront can't be accessed by any account or any roles. It's owner named "cf-host-credentials-global".
Just tried several ways to fix this issue, base on a quite simple solution:
CloudFront can access the S3 bucket(This s3 bucket is not public accesible.) with OAC which has putObject and getObject permission on it.
We can use a CloudFront URL mapping to S3 bucket origin for uploading a file.
Note: No signed CloudFront or signed S3 URL, but I also tested those cases actually.
We still always get such accessDenied issue, most of time it can be uploaded with the expected size and file name.
But it can't be downloaded or accesible.
I endeavor to fix this on this simple solution, but all of them are failed as below:
add x-amz-acl header, according to answer on stackoverflow
The file upload by CloudFront Origin Access Identity signed url can't be access by boto3 or IAM role?
I add the x-amz-acl header, but got this error with failed uploading:
<?xml version="1.0" encoding="UTF-8"?>
<Error>
<Code>AccessDenied</Code>
<Message>There were headers present in the request which were not signed</Message>
<HeadersNotSigned>x-amz-acl</HeadersNotSigned>
<RequestId>NDOLGKOGSF883</RequestId>
<HostId>CD9cDmGbSuk34Gy3mK2Znfdd9klmfew0s2dsflks3</HostId>
</Error>
Even use a pre-signed S3 url(put the x-amz-acl header in boto3 generate_presigned_url), it still the same error.
seems someone said x-amz-acl can be put into query parameter, then I have tried it in the URL(with signed URL and unsigned URL), it doesn't work anyway.
Pre-signed URLs and x-amz-acl
someone said we need to add x-amz-content-sha256 header in the client request, according to
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#private-content-origin-access-identity-signature-version-4
add x-amz-content-sha256 header, it can be uploaded successfully, but still failed with AccessDenied on that S3 Object uploaded.
add Content-MD5 header, it got the issue that header is not signed as above, and uploading failed.
Anyone has an idea about this? How to fix this AccessDenied issue?
Thanks in advance.
It looks like x-amz-acl header via OAC is not getting signed when the request is being sent from CloudFront to S3 bucket.
So if you insist on using OAC, there's only one way: change the "Object Ownership" to ACLs disabled in S3 bucket permissions.
And that works for me.
Using the cloudfront to read and write in the same S3 bucket, how can I prohibit a user from using a read-presigned url to make an injection (upluad)?
Thanks.
Deny access to PUT for cloudfront and it won't be able to put data into s3. In s3 permissions you can allow read only calls from cloudfront only. Turn off public access on s3, to make sure it will allow gets only from cloudfront. On CloudFront use this to update s3 bucket access, before this disable any public access on s3. CF will update S3's policy & create CF origin access identity:
To put data into S3, use presigned URL and it all goes down to the place where you create the presigned URL for upload. You may have api gateway RESTfull tiny api which would authenticate user to get the upload url and would return the upload url, which would be used by user to upload data to S3.
It seems unclear form the docs, but here is my goal:
Create a presigned url to upload a file to s3
Pass that url to the browser
The browser uploads a file selected by the user to s3 using the pre-signed url
When the object on s3 is requested, the "Cache-Control: max-age=604800" header is on the response.
I would LIKE to not have to rely on the client to do anything special to make this happen. Meaning, some signal to S3 that it should set the cache control header to that value would have to be present in the pre-signed url, but I can't tell from the docs or 50 google searches how that is accomplished.
Any illumination into how this can be accomplished would be great!
I'm having a trouble with Amazon S3 presigned URL. In my configuration of bucket policy I give access only to an specific IAM User, I mean, is not public. So, If I navigate in the browser to a file url of my S3 bucket, I receive an access denied message.
So, I use the aws-cli tool to generate a presigned url of that file. With that URL I'm able to get the file correctly, but the issue is when I try to put a file to the bucket. Using that url I cannot put a file beacuse I'm getting this message error:
<Code>SignatureDoesNotMatch</Code>
<Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message>
What I'm missing?
You'll need a different presigned URL for PUT methods and GET methods. This is because the HTTP verb (PUT, GET, etc.) is part of the "CanonicalResource" used to construct the signature. See "Authenticating Requests" in the Amazon S3 reference docs for details.
I am trying to upload a file to S3 bucket directly from browser. Actually it works the only thing is bothering me that it needs a redirect after uploading. I removed redirect option from policy and form. It works but it returns 204 HTTP status, so I don't get response from the server and can't react. Have I other way to get response without redirect?
Refer to the documentation http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPOST.html
success_action_redirect, redirect is an optional param and if success_action_redirect is not specified, Amazon S3 returns the empty document type specified in the success_action_status field