I'm using fineUploader 5.16.2 and attempting to just do a simple upload of a file to S3 from the browser, that is being signed on the server .
I'm getting the 'The request signature we calculated does not match the signature you provided.' error on upload .
I've run through the server policy signing code and tested it against expected values from here: https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-post-example.html and it produces the correct results, so I think the signature itself is ok.
Also I have gone over the IAM policy / bucket policies and made them very unrestrictive for testing, so I don't think its that. I've created new keys / users.
I'm not sure what my next steps are for determining what the issue - any insight from someone who has been through this before would be great, I've hit a dead-end and not sure how to proceed to work out the issue.
Here's the requests:
Upload request:
Request URL: https://s3.amazonaws.com/bucket_xyz
Request Method: POST
Status Code: 403 Forbidden
Remote Address: 52.216.165.93:443
Referrer Policy: no-referrer-when-downgrade
--------------------
Request
------------------
Content-Type: multipart/form-data; boundary=----
WebKitFormBoundary0GCEvRBzhQOryykT
Origin: http://localhost:49797
Referer: http://localhost:49797/?section=3
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
FormData:
key: 87d384ae-9038-4e26-aff4-70846b1decb9.jpg
Content-Type: image/jpeg
success_action_status: 200
acl: private
x-amz-meta-qqfilename: mel5.jpg
x-amz-algorithm: AWS4-HMAC-SHA256
x-amz-credential: ACCESSKEY/20181003/us-east-1/s3/aws4_request
x-amz-date: 20181003T163015Z
policy:eyJleHBpcmF0aW9uIjoiMjAxOC0xMC0wM1QxNjozNToxNS4yMzVaIiwiY29uZGl0aW9ucyI6W3siYWNsIjoicHJpdmF0ZSJ9LHsiYnVja2V0Ijoic2R2YXVsdHMtdGVzdCJ9LHsiQ29udGVudC1UeXBlIjoiaW1hZ2UvanBlZyJ9LHsic3VjY2Vzc19hY3Rpb25fc3RhdHVzIjoiMjAwIn0seyJ4LWFtei1hbGdvcml0aG0iOiJBV1M0LUhNQUMtU0hBMjU2In0seyJrZXkiOiI4N2QzODRhZS05MDM4LTRlMjYtYWZmNC03MDg0NmIxZGVjYjkuanBnIn0seyJ4LWFtei1jcmVkZW50aWFsIjoiQUtJQUlNUFpWMktISUozM0JFUkEvMjAxODEwMDMvdXMtZWFzdC0xL3MzL2F3czRfcmVxdWVzdCJ9LHsieC1hbXotZGF0ZSI6IjIwMTgxMDAzVDE2MzAxNVoifSx7IngtYW16LW1ldGEtcXFmaWxlbmFtZSI6Im1lbDUuanBnIn1dfQ==
x-amz-signature: AA16D553ADD17986087A7418525BC4985F05E4BFD392DA30D0B39F1C933C2041
file: (binary)
Response:
Access-Control-Allow-Methods: POST, PUT, DELETE
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: ETag
Access-Control-Max-Age: 3000
Connection: close
Content-Type: application/xml
Date: Wed, 03 Oct 2018 16:30:15 GMT
Server: AmazonS3
Transfer-Encoding: chunked
Vary: Origin, Access-Control-Request-Headers, Access-Control-Request-Method
x-amz-id-2:jws69+sNEZTky7EsMEpUHCdp62x1HurB2schStsp+inwMoBBxL7OPImi2xUmMiZLj2g+FsbAiiE=
x-amz-request-id: 3B58255BDCCA8F5F
Error Body
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we
calculated does not match the signature you provided. Check your key and
signing method.</Message>
<AWSAccessKeyId>AKIAIMPZV2KHIJ33BERA</AWSAccessKeyId>
<StringToSign>eyJleHBpcmF0aW9uIjoiMjAxOC0xMC0wM1QxNjozNToxNS4yMzVaIiwiY29uZGl0aW9ucyI6W3siYWNsIjoicHJpdmF0ZSJ9LHsiYnVja2V0Ijoic2R2YXVsdHMtdGVzdCJ9LHsiQ29udGVudC1UeXBlIjoiaW1hZ2UvanBlZyJ9LHsic3VjY2Vzc19hY3Rpb25fc3RhdHVzIjoiMjAwIn0seyJ4LWFtei1hbGdvcml0aG0iOiJBV1M0LUhNQUMtU0hBMjU2In0seyJrZXkiOiI4N2QzODRhZS05MDM4LTRlMjYtYWZmNC03MDg0NmIxZGVjYjkuanBnIn0seyJ4LWFtei1jcmVkZW50aWFsIjoiQUtJQUlNUFpWMktISUozM0JFUkEvMjAxODEwMDMvdXMtZWFzdC0xL3MzL2F3czRfcmVxdWVzdCJ9LHsieC1hbXotZGF0ZSI6IjIwMTgxMDAzVDE2MzAxNVoifSx7IngtYW16LW1ldGEtcXFmaWxlbmFtZSI6Im1lbDUuanBnIn1dfQ==</StringToSign>
<SignatureProvided>AA16D553ADD17986087A7418525BC4985F05E4BFD392DA30D0B39F1C933C2041</SignatureProvided>
<StringToSignBytes>65 79 4a 6c 65 48 42 70 63 6d 46 30 61 57 39 75 49 6a 6f 69 4d 6a 41 78 4f 43 30 78 4d 43 30 77 4d 31 51 78 4e 6a 6f 7a 4e 54 6f 78 4e 53 34 79 4d 7a 56 61 49 69 77 69 59 32 39 75 5a 47 6c 30 61 57 39 75 63 79 49 36 57 33 73 69 59 57 4e 73 49 6a 6f 69 63 48 4a 70 64 6d 46 30 5a 53 4a 39 4c 48 73 69 59 6e 56 6a 61 32 56 30 49 6a 6f 69 63 32 52 32 59 58 56 73 64 48 4d 74 64 47 56 7a 64 43 4a 39 4c 48 73 69 51 32 39 75 64 47 56 75 64 43 31 55 65 58 42 6c 49 6a 6f 69 61 57 31 68 5a 32 55 76 61 6e 42 6c 5a 79 4a 39 4c 48 73 69 63 33 56 6a 59 32 56 7a 63 31 39 68 59 33 52 70 62 32 35 66 63 33 52 68 64 48 56 7a 49 6a 6f 69 4d 6a 41 77 49 6e 30 73 65 79 4a 34 4c 57 46 74 65 69 31 68 62 47 64 76 63 6d 6c 30 61 47 30 69 4f 69 4a 42 56 31 4d 30 4c 55 68 4e 51 55 4d 74 55 30 68 42 4d 6a 55 32 49 6e 30 73 65 79 4a 72 5a 58 6b 69 4f 69 49 34 4e 32 51 7a 4f 44 52 68 5a 53 30 35 4d 44 4d 34 4c 54 52 6c 4d 6a 59 74 59 57 5a 6d 4e 43 30 33 4d 44 67 30 4e 6d 49 78 5a 47 56 6a 59 6a 6b 75 61 6e 42 6e 49 6e 30 73 65 79 4a 34 4c 57 46 74 65 69 31 6a 63 6d 56 6b 5a 57 35 30 61 57 46 73 49 6a 6f 69 51 55 74 4a 51 55 6c 4e 55 46 70 57 4d 6b 74 49 53 55 6f 7a 4d 30 4a 46 55 6b 45 76 4d 6a 41 78 4f 44 45 77 4d 44 4d 76 64 58 4d 74 5a 57 46 7a 64 43 30 78 4c 33 4d 7a 4c 32 46 33 63 7a 52 66 63 6d 56 78 64 57 56 7a 64 43 4a 39 4c 48 73 69 65 43 31 68 62 58 6f 74 5a 47 46 30 5a 53 49 36 49 6a 49 77 4d 54 67 78 4d 44 41 7a 56 44 45 32 4d 7a 41 78 4e 56 6f 69 66 53 78 37 49 6e 67 74 59 57 31 36 4c 57 31 6c 64 47 45 74 63 58 46 6d 61 57 78 6c 62 6d 46 74 5a 53 49 36 49 6d 31 6c 62 44 55 75 61 6e 42 6e 49 6e 31 64 66 51 3d 3d</StringToSignBytes>
<RequestId>3B58255BDCCA8F5F</RequestId>
<HostId>jws69+sNEZTky7EsMEpUHCdp62x1HurB2schStsp+inwMoBBxL7OPImi2xUmMiZLj2g+FsbAiiE=</HostId></Error>
Further info:
Prior to the post to S3, here's the request/response to server endpoint to get the signature.
POST handler.ashx?op=getSignature&v4=true
Request
Pragma : no-cache
Origin : http://localhost:49797
Accept-Encoding ; gzip, deflate, br
Host; localhost:49797
Accept-Language: en-US,en;q=0.9
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/69.0.3497.100
Safari/537.36
Content-Type : application/json; charset=UTF-8
Accept: application/json
Cache-Control : no-cache
X-Requested-With : XMLHttpRequest
Cookie :
Connection : keep-alive
Referer : http://localhost:12455/?section=3
Content-Length : 403
{"expiration":"2018-10-03T16:35:15.235Z","conditions":[{"acl":"private"},
{"bucket":"xyz"},
{"Content-Type":"image/jpeg"},{"success_action_status":"200"},{"x-amz-algorithm":"AWS4-HMAC-SHA256"},{"key":"87d384ae-9038-4e26-aff4-70846b1decb9.jpg"},{"x-amz-credential":"ACCESSKEY/20181003/us-east-1/s3/aws4_request"},{"x-amz-date":"20181003T163015Z"},{"x-amz-meta-qqfilename":"mel5.jpg"}]
}
Response
{"policy":"eyJleHBpcmF0aW9uIjoiMjAxOC0xMC0wM1QxNjozNToxNS4yMzVaIiwiY29uZGl0aW9ucyI6W3siYWNsIjoicHJpd
mF0ZSJ9LHsiYnVja2V0Ijoic2R2YXVsdHMtdGVzdCJ9LHsiQ29udGVudC1UeXBlIjoiaW1hZ2UvanBlZyJ9LHsic3VjY2Vzc19hY
3Rpb25fc3RhdHVzIjoiMjAwIn0seyJ4LWFtei1hbGdvcml0aG0iOiJBV1M0LUhNQUMtU0hBMjU2In0seyJrZXkiOiI4N2QzODRhZ
S05MDM4LTRlMjYtYWZmNC03MDg0NmIxZGVjYjkuanBnIn0seyJ4LWFtei1jcmVkZW50aWFsIjoiQUtJQUlNUFpWMktISUozM0JFU
kEvMjAxODEwMDMvdXMtZWFzdC0xL3MzL2F3czRfcmVxdWVzdCJ9LHsieC1hbXotZGF0ZSI6IjIwMTgxMDAzVDE2MzAxNVoifSx7IngtYW16LW1ldGEtcXFmaWxlbmFtZSI6Im1lbDUuanBnIn1dfQ
==","signature": "AA16D553ADD17986087A7418525BC4985F05E4BFD392DA30D0B39F1C933C2041"}
Javascript:
uploader = (<any>$(container)).fineUploaderS3({
button: null,
debug: true,
retry: {
enableAuto: false
},
signature: {
endpoint: signatureEndPoint,
version: 4
},
uploadSuccess: {
endpoint: successEndPoint,
params: {
}
},
chunking: {
enabled: false
},
resume: {
enabled: false
},
deleteFile: {
enabled: false
endpoint: deleteFileEndPoint
},
autoUpload: false,
maxConnections: 1,
text: {
cancelButton: 'Remove file from the Queue'
},
request: {
endpoint: https://s3.amazonaws.com/"+bucket,
accessKey: accessKey
},
dragAndDrop: {
disableDefaultDropzone: true,
hideDropzones: false
},
editFilename: {
enabled: true
},
objectProperties: {
key: "uuid"
}
}).on('validateBatch', function () {
}).on('submitted', function () {
}).on('progress', function () {
}).on('cancel', function () {
});
In case this helps anyone else - I found the issue with my code - AWS4 expects a lower case signature string - once converted the resulting hex string to lower case, problem was solved.