In my React app, I'm making a GET
REST web service call to an endpoint whose purpose is to generate a presigned AWS URL to a protected S3 asset. We pass an Authorization
header and a token to the service.
This initial call works as expected and the service responds with a redirect (via a 307 response code) and includes the presigned URL in the response's Location
header.
The issue I'm facing is that when the redirect is followed, Amazon rejects the call with a 400 response code and the following message.
Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter, Signature query string parameter or the Authorization header should be specified.
Is there a way to remove the Authorization
header before the redirect is followed?
This seems like it should be a fairly common situation (when a React application requires access to a protected S3 asset) - is there a better way to handle this use case?
After several conversations with Amazon support, the way to achieve the above is to front S3 with a CloudFront distribution. CloudFront does not have the same restrictions as S3 with Only one auth mechanism allowed
Here's what I did:
The other thing you'll need is a CloudFront key pair as described here and then use that information when generating the presigned link.
MORE INFO
Amazon definitely makes this much more complicated than it needs to be (i.e. why is there the Only one auth mechanism allowed
restriction on S3 at all?) but at least there's a workaround for those that need it.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With