I am using NodeJs to upload files to AWS S3. I want the client to be able to download the files securely. So I am trying to generate signed URLs, that expire after one usage. My code looks like this: Uploading <pre class="prettyprint"><code>const s3bucket = new AWS.S3({ accessKeyId: 'my-access-key-id', secretAccessKey: 'my-secret-access-key', Bucket: 'my-bucket-name', }) const uploadParams = { Body: file.data, Bucket: 'my-bucket-name', ContentType: file.mimetype, Key: `files/${file.name}`, } s3bucket.upload(uploadParams, function (err, data) { // ... }) </code></pre> Downloading <pre class="prettyprint"><code>const url = s3bucket.getSignedUrl('getObject', { Bucket: 'my-bucket-name', Key: 'file-key', Expires: 300, }) </code></pre> Issue When opening the URL I get the following: <pre class="prettyprint"><code>This XML file does not appear to have any style information associated with it. The document tree is shown below. <Error> <Code>AccessDenied</Code> <Message> There were headers present in the request which were not signed </Message> <HeadersNotSigned>host</HeadersNotSigned> <RequestId>D63C8ED4CD8F4E5F</RequestId> <HostId> 9M0r2M3XkRU0JLn7cv5QN3S34G8mYZEy/v16c6JFRZSzDBa2UXaMLkHoyuN7YIt/LCPNnpQLmF4= </HostId> </Error> </code></pre> I coultn't manage to find the mistake. I would really appreciate any help :)

Your code is correct, double check the following things: <ol> <li>Your bucket access policy.</li> <li>Your bucket permission via your API key.</li> <li>Your API key and secret.</li> <li>Your bucket name and key.</li> </ol> For bucket policy you can use the following: <pre class="prettyprint"><code>{ "Version": "2012-10-17", "Statement": [ { "Sid": "PublicReadGetObject", "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::bucket/*" } ] } </code></pre> Change bucket with your bucket name. For users and access key permission (#2), you should follow these steps: 1-Goto AWS Identity and Access Management (IAM) and click on Policies link and click on "Create policy" button. <img src="https://i.stack.imgur.com/J1i4z.png" alt="enter image description here"> 2-Select the JSON tab. <img src="https://i.stack.imgur.com/SA3S4.png" alt="enter image description here"> 3-Enter the following statement, make sure change the bucket name and click on "review policy" button. <pre class="prettyprint"><code>{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "s3:*", "Resource": "arn:aws:s3:::YOURBUCKETNAME" } ] } </code></pre> <img src="https://i.stack.imgur.com/oVldb.png" alt="enter image description here"> 4-Enter a name for your policy and click on "Create policy" button. <img src="https://i.stack.imgur.com/jIWH3.png" alt="enter image description here"> 5-Click on Users link, and find your current username (You already have the access key and secret for that) <img src="https://i.stack.imgur.com/ann29.png" alt="enter image description here"> 6-Click on "add permission" button. <img src="https://i.stack.imgur.com/vC7Eg.png" alt="enter image description here"> 7-Add the policy we created in the previous step and save. <img src="https://i.stack.imgur.com/30E2E.png" alt="enter image description here"> Finally, make sure your bucket not accessible from Public, add the correct content type to your file and set <code>signatureVersion: 'v4'</code> The final code should be like this, thanks @Vaisakh PS: <pre class="prettyprint"><code>const s3bucket = new AWS.S3({ signatureVersion: 'v4', accessKeyId: 'my-access-key-id', secretAccessKey: 'my-secret-access-key', Bucket: 'my-bucket-name', }) const uploadParams = { Body: file.data, Bucket: 'my-bucket-name', ContentType: file.mimetype, Key: `files/${file.name}`, } s3bucket.upload(uploadParams, function (err, data) { // ... }) const url = s3bucket.getSignedUrl('getObject', { Bucket: 'my-bucket-name', Key: 'file-key', Expires: 300, }) </code></pre>

AWS S3 Generating Signed Urls ''AccessDenied''

I am using NodeJs to upload files to AWS S3. I want the client to be able to download the files securely. So I am trying to generate signed URLs, that expire after one usage. My code looks like this:

Uploading

const s3bucket = new AWS.S3({
    accessKeyId: 'my-access-key-id',
    secretAccessKey: 'my-secret-access-key',
    Bucket: 'my-bucket-name',
})
const uploadParams = {
    Body: file.data,
    Bucket: 'my-bucket-name',
    ContentType: file.mimetype,
    Key: `files/${file.name}`,
}
s3bucket.upload(uploadParams, function (err, data) {
    // ...
})

Downloading

const url = s3bucket.getSignedUrl('getObject', {
    Bucket: 'my-bucket-name',
    Key: 'file-key',
    Expires: 300,
})

Issue

When opening the URL I get the following:

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<Error>
    <Code>AccessDenied</Code>
    <Message>
        There were headers present in the request which were not signed
    </Message>
    <HeadersNotSigned>host</HeadersNotSigned>
    <RequestId>D63C8ED4CD8F4E5F</RequestId>
    <HostId>
        9M0r2M3XkRU0JLn7cv5QN3S34G8mYZEy/v16c6JFRZSzDBa2UXaMLkHoyuN7YIt/LCPNnpQLmF4=
    </HostId>
</Error>

I coultn't manage to find the mistake. I would really appreciate any help :)

How do S3 signed URLs work?

S3 pre-signed URLs are a form of an S3 URL that temporarily grants restricted access to a single S3 object to perform a single operation — either PUT or GET — for a predefined time limit. To break it down: It is secure — the URL is signed using an AWS access key.

Are S3 pre-signed URLs secure?

There is an access check on the S3 side but that only checks whether the signer entity is allowed to get the file. You can remove that permission but that invalidates all signed URLs. Signed URLs provide secure a way to distribute private content without streaming them through the backend.

What is difference between Presigned and signed URL?

Pre-signed Url used for creator, mean to upload new objects. Signed Url all about accessing existing objects. Save this answer.

Your code is correct, double check the following things:

Your bucket access policy.
Your bucket permission via your API key.
Your API key and secret.
Your bucket name and key.

For bucket policy you can use the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket/*"
        }
    ]
}

Change bucket with your bucket name.

For users and access key permission (#2), you should follow these steps:

1-Goto AWS Identity and Access Management (IAM) and click on Policies link and click on "Create policy" button.

enter image description here

2-Select the JSON tab.

enter image description here

3-Enter the following statement, make sure change the bucket name and click on "review policy" button.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::YOURBUCKETNAME"
        }
    ]
}

enter image description here

4-Enter a name for your policy and click on "Create policy" button.

enter image description here

5-Click on Users link, and find your current username (You already have the access key and secret for that)

enter image description here

6-Click on "add permission" button.

enter image description here

7-Add the policy we created in the previous step and save.

enter image description here

Finally, make sure your bucket not accessible from Public, add the correct content type to your file and set signatureVersion: 'v4'

The final code should be like this, thanks @Vaisakh PS:

const s3bucket = new AWS.S3({
    signatureVersion: 'v4',
    accessKeyId: 'my-access-key-id',
    secretAccessKey: 'my-secret-access-key',
    Bucket: 'my-bucket-name',
})
const uploadParams = {
    Body: file.data,
    Bucket: 'my-bucket-name',
    ContentType: file.mimetype,
    Key: `files/${file.name}`,
}
s3bucket.upload(uploadParams, function (err, data) {
    // ...
})
const url = s3bucket.getSignedUrl('getObject', {
    Bucket: 'my-bucket-name',
    Key: 'file-key',
    Expires: 300,
})

Your code looks good but I think you are missing the signatureVersion: 'v4' parameter while creating the s3bucket object. Please try the below updated code.

const s3bucket = new AWS.S3({
    signatureVersion: 'v4',
    accessKeyId: 'my-access-key-id',
    secretAccessKey: 'my-secret-access-key',
    Bucket: 'my-bucket-name',
})
const uploadParams = {
    Body: file.data,
    Bucket: 'my-bucket-name',
    ContentType: file.mimetype,
    Key: `files/${file.name}`,
}
s3bucket.upload(uploadParams, function (err, data) {
    // ...
})
const url = s3bucket.getSignedUrl('getObject', {
    Bucket: 'my-bucket-name',
    Key: 'file-key',
    Expires: 300,
})

For more about signatureVersion: 'v4' see the below links

https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html

https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-streaming.html

You can also try out the below nodejs library that create presigned url

https://www.npmjs.com/package/aws-signature-v4

AWS S3 Generating Signed Urls ''AccessDenied''

Tags:

node.js

amazon-web-services

amazon-s3

aws-sdk

acl

Flo

People also ask

2 Answers

Reza Mousavi

Vaisakh PS

Recent Activity

Donate For Us

AWS S3 Generating Signed Urls ''AccessDenied''

Tags:

node.js

amazon-web-services

amazon-s3

aws-sdk

acl

Flo

People also ask

2 Answers

Reza Mousavi

Vaisakh PS

Related questions

Recent Activity

Donate For Us