Support for AWS4-HMAC-SHA256

Question

Support for AWS4-HMAC-SHA256

benjamin-maynard opened this issue 6 years ago · 6 comments

Hi,

Firstly thanks for authoring this adapter. Really is great.

When I was deploying this earlier for my blog, I created an S3 Bucket in eu-west-2, which is the London Region. As per https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region, this S3 region only supports the latest Version 4 signature.

When configuring the ghost-storage-adapter-s3 plugin to point to this S3 endpoint, image uploads lead to the following error message: NAME: InternalServerError CODE: InvalidRequest MESSAGE: The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256.

Recreating the S3 bucket in the Ireland region, which supports Version 2 makes this error go away. I am unsure if this is a plugin specific issue or related to the AWS-SDK.

Answer 1 · 2018-11-30T08:53:31.000Z

@benjamin-maynard what does your config look like?

Answer 2 · 2018-11-30T09:02:36.000Z

@colinmeinke

Running in Kubernetes, but just the following environment variables:

The exact same config works in eu-west-1, but not eu-west-2

        env {
        name = "AWS_ACCESS_KEY_ID"
        value = "${aws_iam_access_key.benjamin-maynard-io-ghost.id}"
        }
       env {
        name = "AWS_SECRET_ACCESS_KEY"
        value = "${aws_iam_access_key.benjamin-maynard-io-ghost.secret}"
        }        
       env {
        name = "AWS_DEFAULT_REGION"
        value = "${var.k8s_service-benjamin-maynard-io-fe-AWS_DEFAULT_REGION}"
        }     
       env {
        name = "GHOST_STORAGE_ADAPTER_S3_PATH_BUCKET"
        value = "${aws_s3_bucket.benjamin-maynard-io-images.bucket}"
        }
       env {
        name = "GHOST_STORAGE_ADAPTER_S3_ASSET_HOST"
        value = "https://${aws_cloudfront_distribution.benjamin-maynard-io.domain_name}"
        }
       env {
        name = "storage__active"
        value = "s3"
        }

Answer 3 · 2018-11-30T09:22:18.000Z

@eofs do you have any ideas on this?

Answer 4 · 2019-01-16T19:59:23.000Z

the same issue

Answer 5 · 2019-01-17T11:25:01.000Z

Hi!

You need to generate presigned URL when using Version 4 authentication before calling putObject() function. I haven't used V4s personally with JS SDK so not sure how to set it up correctly.

According to documentation you could provide signatureVersion option to new AWS.S3(...) call. So extending options object here by adding signatureVersion: 'v4' could work.

I hope this helps!

Answer 6 · 2019-01-31T09:31:37.000Z

Support added in #45