Call S3 pre-signed URL with postman

Question

I am attempting to use a pre-signed URL to upload as described in the docs (https://docs.aws.amazon.com/AmazonS3/latest/dev/PresignedUrlUploadObject.html) I can retrieve the pre-signed URL but when I attempt to do a PUT in Postman, I receive the following error:

<Code>SignatureDoesNotMatch</Code>
<Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message>

Obviously, the way my put call is structured doesn't match with the way AWS is calculating the signature. I can't find a lot of information on what this put call requires.

I've attempted to modify the header for Content-Type to multipart/form-data and application/octet-stream. I've also tried to untick the headers section in postman and rely on the body type for both form-data and binary settings where I select the file. The form-data setting results in the following added to the call:

Content-Disposition: form-data; name="thefiletosend.txt"; filename="thefiletosend.txt

In addition, I noticed that postman is including what it calls "temporary headers" as follows:

Host: s3.amazonaws.com Content-Type: text/plain User-Agent: PostmanRuntime/7.13.0 Accept: / Cache-Control: no-cache Postman-Token: e11d1ef0-8156-4ca7-9317-9f4d22daf6c5,2135bc0e-1285-4438-bb8e-b21d31dc36db Host: s3.amazonaws.com accept-encoding: gzip, deflate content-length: 14 Connection: keep-alive cache-control: no-cache

The Content-Type header may be one of the issues, but I'm not certain how to exclude these "temporary headers" in postman.

I am generating the pre-signed URL in a lambda as follows:

    public string FunctionHandler(Input input, ILambdaContext context)
    { 
        _logger = context.Logger;
        _key = input.key;
        _bucketname = input.bucketname;

        string signedURL = _s3Client.GetPreSignedURL(new GetPreSignedUrlRequest()
        {
            Verb = HttpVerb.PUT ,
            Protocol = Protocol.HTTPS,
            BucketName = _bucketname,
            Key = _key,
            Expires = DateTime.Now.AddMinutes(5)
        });

        returnObj returnVal = new returnObj() { url = signedURL };

        return JsonConvert.SerializeObject(returnVal);

    }

Answer 1

I was able to get this working in Postman using a POST request. Here are the details of what worked for me. When I call my lambda to get a presigned URL here is the json that comes back (after I masked sensitive and app-specific information):

{
    "attachmentName": "MySecondAttachment.docx",
    "url": "https://my-s3-bucket.s3.amazonaws.com/",
    "fields": {
        "acl": "public-read",
        "Content-Type": "multipart/form-data",
        "key": "attachment-upload/R271645/65397746_MySecondAttachment.docx",
        "x-amz-algorithm": "AWS4-HMAC-SHA256",
        "x-amz-credential": "WWWWWWWW/20200318/us-east-1/s3/aws4_request",
        "x-amz-date": "20200318T133309Z",
        "x-amz-security-token": "XXXXXXXX",
        "policy": "YYYYYYYY",
        "x-amz-signature": "ZZZZZZZZ"
    }
}

In Postman, create a POST request, and use “form-data” to enter in all the fields you got back, with exactly the same field names you got back in the signedURL shown above. Do not set the content type, however. Then add one more key named “file”:

To the right of the word file if you click the drop-down you can browse to your file and attach it:

In case it helps, I’m using a lambda written in python to generate a presigned URL so a user can upload an attachment. The code looks like this:

signedURL = self.s3.generate_presigned_post(
    Bucket= "my-s3-bucket",
    Key=putkey,
    Fields = {"acl": "public-read", "Content-Type": "multipart/form-data"},
    ExpiresIn = 15,
    Conditions = [
        {"acl": "public-read"},
        ["content-length-range", 1, 5120000]
        ]
    )

Hope this helps.