stackoom
  简体   繁体   中英

Why are REST calls to S3 using the AWS Signature v4 not really using the signature process?

 原文  2015-04-05 13:48:08       javascript/ rest/ amazon-web-services/ amazon-s3/ hmac

Question

I'm working with the AWS Federated Web Identitiy Playground and am wondering about the signature V4 usage to access AWS or specifically S3.

If I look at the Sig4.js file being loaded, it 

/**
  * Contains functions to construct a canonical request, create the string to sign,
  * calcuate the signature, and finally to make a signed sigv4 request. Also contains
  * a function to make REST calls to S3. 
  */

I'm not sure about the methot allowing to make REST calls to S3 (provided method callS3WithREST ). Although the method is included in the sig4, it does not use any of it's logic.

When reading the AWS docs they stress to always use signature V4 for all request to AWS services. So I'm wondering:

Question :
Should I not use the signature to make REST calls to S3? What is the purpose of the signature process then? Thanks for some clarification.

1 answers

solution1
 1 ACCPTED  2015-04-05 21:01:46

You definitely need to sign your REST requests to S3, or they won't won't succeed unless the request involves something available to anonymous users. And, yes, you "should" use Signature Version 4 to interact with S3, because (among other reasons) newer S3 regions don't support the older Signature Version 2.

What's curious, here, is that callS3WithREST appears to actually be an implementation of Signature Version 2.

Why this is there is not at all clear to me, but I have a convincing theory: it's old code copy/pasted and/or left over from a V2 script that's a predecessor to this one.

S3's implementation of Signature Version 2 was almost exactly the same as V2 as supported by other AWS services... but different enough to be incompatible.

(S3's V2 "string to sign," unlike the standard implementation, does not include the Host: header value as the 2nd line, presumably because the bucket name that is required in the "canonical resource" section made it resundant, and there are usually multiple variant hostnames for the same bucket).

So, a V2 signing library would have to make an exception for S3, due to the difference in the algorithm.

This isn't true for V4, which is sufficiently comprehensive that the same code can sign requests for S3 as well as other services, if it doesn't make any improper assumptions.

So my suspicion is that this is best explained as some inappropriately left over code from when, in a previous lifetime, this was a Signature V2 script that was transmogrified into a V4 script.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Signature Does not Match AWS S3 using Javascript Scripting Signature generation in Amazon S3 using Javascript Making REST calls to AWS S3 using Pure Javascript (No SDK) AWS S3 browser upload using HTTP POST gives invalid signature How to generate aws s3 signature in nodejs Amazon S3 Signature Does Not Match - AWS SDK Java AWS S3: The request signature we calculated does not match the signature you provided AWS S3 ajax PUT returning 'The request signature we calculated does not match the signature you provided'? AWS Signature V2: generate a signature for a Query request in Javascript AWS S3 - The request signature we calculated does not match the signature you provided. Check your key and signing method
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM