AWS S3存储桶预签名URL

Question

I am trying to create Presigned URLs for users to access content from an S3 bucket.

The below code was working fine and all of a sudden I am getting the below error when opening any pre-signed URL that is created.

public function getPresignedUri($p)
{
    $s3 = new S3Client([
        'region'  => getenv('S3_REGION'),
        'version' => 'latest',
    ]);

    $cmd = $s3->getCommand('GetObject', [
      'Bucket' => getenv('S3_BUCKET'),
      'Key'    => 'casts/'. $p['file']
    ]);

    $request = $s3->createPresignedRequest($cmd, '+1 hour');

    return (string) $request->getUri();
}

 <Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><AWSAccessKeyId>ASIA3DM6Y5GJC4FYJAFC</AWSAccessKeyId><StringToSign>AWS4-HMAC-SHA256 20180821T072223Z 20180821/ap-southeast-2/s3/aws4_request fc4f1139d3b146ae027bd0bfc0b3d6dacda81d711b062e0d93a65d04a61aa268</StringToSign><SignatureProvided>5f5d3ae9ef3d9cdfc0d039c39302c584dcfc93f5a94a0f1770bf6781d6958198</SignatureProvided><StringToSignBytes>41 57 53 34 2d 48 4d 41 43 2d 53 48 41 32 35 36 0a 32 30 31 38 30 38 32 31 54 30 37 32 32 32 33 5a 0a 32 30 31 38 30 38 32 31 2f 61 70 2d 73 6f 75 74 68 65 61 73 74 2d 32 2f 73 33 2f 61 77 73 34 5f 72 65 71 75 65 73 74 0a 66 63 34 66 31 31 33 39 64 33 62 31 34 36 61 65 30 32 37 62 64 30 62 66 63 30 62 33 64 36 64 61 63 64 61 38 31 64 37 31 31 62 30 36 32 65 30 64 39 33 61 36 35 64 30 34 61 36 31 61 61 32 36 38</StringToSignBytes><CanonicalRequest>GET /casts/5B735D22BCB17.mp4 X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIA3DM6Y5GJC4FYJAFC%2F20180821%2Fap-southeast-2%2Fs3%2Faws4_request&X-Amz-Date=20180821T072223Z&X-Amz-Expires=3600&X-Amz-Security-Token=FQoGZXIvYXdzEPn%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaDEMaw7h8OwK6f6QN0SLBA4%2B9LzXs7OMNjW7HDqr1jhuK%2FshbOMDBoF00GHqTWUuJWXQuL4ptYpvWRjwpris0USWPMTx0O3WeKacvtw6oN2M1KRoUe3IcNOpFwaixKw8%2Fo5FKXK%2BSCo%2F7U%2B76V4aEFuuWEZkC5qhm9R7ChB7vDNTlmYXx2GOzL2uZYV8dZrAnrUfU5qWpyI4IQb8DvPnpDWB0OgA2SRvuGzkwkVLEtMmHS2SMU32gwX2Oy6YnMswWZeqVQ%2FovfWbxd5AA4O%2BFNQfcNM5l4jsuR2zV8FiKZ3jQRLgfQx5uvydv6FFzb90SDbvUjZd0aAsR1Mre%2FnoQodezAm0xoA5618%2FWd%2BIh3jouN2RflRM3II8UXCWzFFq2NL%2FxweJu2mYXfKNpTkqOEls5dFMo2OWQa3IGXJqT3EZEZKXcQ3z%2F2aOP%2Fyw%2F2GtPdQrdJziwN4lTXyl6%2FGZYd968yjlU6pIk6vB0NVq9q3wKjBiwlsfGTlaJnFJH7DD%2FIY4U6fYOmvAcGnoozAbIcqDZpDPNrvZX75tzSatHHLyQoF56STZPhWK7cCWEo2JWAzg6NE4xBmypFG%2Bkxtv0QtrcUNYD35FvFGbjheUhMnyOKOTz7tsF&X-Amz-SignedHeaders=host host:app-assets-dev-ap-southeast-2-cmpny.s3.ap-southeast-2.amazonaws.com host UNSIGNED-PAYLOAD</CanonicalRequest> 

AWS SDK verison aws/aws-sdk-php (3.65.0)

One small difference I can see in the URL is that when it was working it had

X-Amz-SignedHeaders=host

and now it has

X-Amz-SignedHeaders=host%3Bx-amz-security-token

Although not sure what could be causing that extra string??

EDIT 1:

I identified that this issue was due to the SDK version 3.65 ... when I rolled back to 3.31 there was no issue.

However I am not marking this as resolved as I would like to know why a small version change like this made such a big difference and error?

I can see there is major differences in the src/Signature/SignatureS4.php file specifically:

$parsed['query']['X-Amz-SignedHeaders'] = 'host'; (V3.31)

and

$parsed['query']['X-Amz-SignedHeaders'] = implode(';', $this->getPresignHeaders($parsed['headers'])); (V3.65)

however that line alone didn't fix - replacing the whole file did fix the error.

Answer 1

I logged this issue on Github - https://github.com/aws/aws-sdk-php/issues/1609

And it was tested, confirmed and resolved very quickly - https://github.com/aws/aws-sdk-php/pull/1610

This is resolved.