Search code examples

AWS SDK not including Access Key (AKID) in X-Amz-Credential when creating presigned post, but only on Heroku

I am doing a direct to S3 upload, and I have the presigned post declared like this:

@s3_direct_post = S3_BUCKET.presigned_post(key: "images/#{SecureRandom.uuid}/${filename}", success_action_status: '201', acl: 'public-read', allow_any: ['utf8', 'authenticity_token'])

When in the development environment, it builds everything correctly and I get something like this:

{"key"=>"images/1be59d13-9d65-4d70-b631-93834409f361/${filename}", "success_action_status"=>"201", "acl"=>"public-read", "policy"=>"<BASE_64_POLICY>", "x-amz-credential"=>"<MY_ACCESS_KEY>/20180505/us-east-1/s3/aws4_request", "x-amz-algorithm"=>"AWS4-HMAC-SHA256", "x-amz-date"=>"20180505T232823Z", "x-amz-signature"=>"<AMZ_SIGNATURE>"}

But after I push it to Heroku, I get something like this:

{"key"=>"images/1be59d13-9d65-4d70-b631-93834409f361/${filename}", "success_action_status"=>"201", "acl"=>"public-read", "policy"=>"<BASE_64_POLICY>", "x-amz-credential"=>"/20180505/us-east-1/s3/aws4_request", "x-amz-algorithm"=>"AWS4-HMAC-SHA256", "x-amz-date"=>"20180505T232823Z", "x-amz-signature"=>"<AMZ_SIGNATURE>"}

Now that my Access Key (AKID) is no longer there, I get this error:

<Error><Code>InvalidArgument</Code><Message>a non-empty Access Key (AKID) must be provided in the credential.</Message><ArgumentName>X-Amz-Credential</ArgumentName><ArgumentValue>/20180505/us-east-1/s3/aws4_request</ArgumentValue><RequestId>%REQUESTID%</RequestId><HostId>%HOSTID%</HostId></Error>

My AWS credentials are declared in initalizers/aws.rb, so they are not dependent on the environment type. What could possibly be causing this?

Edit (showing how I declare the S3_BUCKET is a constant I initialize in aws.rb):

Aws.config.update({ region: 'us-east-1', credentials:['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY']) })


Also, the difference between the two presigned-post objects:




  • You should not commit your credentials in your git repository so you should make sure in your initializer:

    in config/initializers/credentials.rb


    And use heroku-cli to configure your credentials on your app

    heroku config:set AWS_ACCESS_KEY_ID=someLongHashKey AWS_SECRET_ACCESS_KEY=anotherLongHashKey --app my_app_name
    # see heroku config --help

    But your error may have to do with AWS SDK Presigned Post Ruby

    and see

    If that doesn't help, post how you're defining

    Finally, double check to make sure you've set your environment variables correctly in heroku

    heroku config --app my_app_name #use your actual app name of course