Upload to S3 fails due to wrong authorization mechanism

Question

Upload to S3 fails due to wrong authorization mechanism

nklsw opened this issue 4 years ago · 7 comments

My uploads to S3 always fail with code 400 Bad Request and the following response message:
The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256.

Is it possible to use the AWS4-HMAC-SHA256 mechanism?

I already set the values suggested here

AWS_S3_REGION_NAME = 'eu-central-1' 
AWS_S3_SIGNATURE_VERSION = 's3v4'

I also set the values according to your documentation:

AWS_ACCESS_KEY_ID = env("DJANGO_AWS_ACCESS_KEY_ID", default=None)
AWS_SECRET_ACCESS_KEY = env("AWS_SECRET_ACCESS_KEY", default=None)
AWS_STORAGE_BUCKET_NAME = env("AWS_STORAGE_BUCKET_NAME", default=None)
AWS_S3_REGION_NAME = env("AWS_S3_REGION_NAME ", default=None)
AWS_S3_ENDPOINT_URL = env("AWS_S3_ENDPOINT_URL", default=None) # see note

CSP_DEFAULT_SRC = ("'none'",)
CSP_STYLE_SRC = ("'self'")
CSP_SCRIPT_SRC = ("'self'",)
CSP_FONT_SRC = ("'self'")
CSP_IMG_SRC = ("'self'",)
CSP_CONNECT_SRC = ("'self'", AWS_S3_ENDPOINT_URL)

Note: Currently I did not set a Value for AWS_S3_ENDPOINT_URL because I am not sure which URL I need to use here. I tried out bucketname.eu-central-1.s3.amazonaws.com and bucketname.s3.amazonaws.com but both lead to an error.

Also I am using AWS_QUERYSTRING_AUTH = True in my settings. Don't know if this is relevant here.

Answer 1 · 2021-03-27T08:27:40.000Z

I believe you can leave AWS_S3_ENDPOINT_URL empty. The underlying aws library (boto3) will automatically fill in the url.

I will have a look at the authorization error.

Answer 2 · 2021-03-27T08:56:58.000Z

I added the AWS_S3_SIGNATURE_VERSION option to the aws-signature-version branch. See #447.

It works on my setup. I'm curious to see if it works for you.

Steps:

use the 'aws-signature-version' branch
set 'AWS_S3_SIGNATURE_VERSION'
```
AWS_S3_SIGNATURE_VERSION = 's3v4'
```

Answer 3 · 2021-03-27T11:32:28.000Z

Unfortunately I'm still getting the same error.

It looks like the components referenced in the documentation from AWS are still missing in the PUT-Requests for uploading to S3

Answer 4 · 2021-03-27T14:27:56.000Z

I don't have access to a real S3 server, so that complicates the testing. I tested this using the Minio local server.

Answer 5 · 2021-03-27T16:38:21.000Z

Sure thats a little bit difficult, but I really appreciate your effort!
I am not that familiar with Minio. Are you able to restrict the S3 authentication to Signatureversion s3v4 only?

Answer 6 · 2021-03-28T07:25:38.000Z

Minio supports the v4 authentication. But I haven't found a way to restrict it to only use v4.

Answer 7 · 2021-03-28T17:58:59.000Z

The absence of the region_name option seems to be the reason for the error. I created #448 with the missing option that make it work for me.