How to generate Pre-signed PUT URL (if possible) using CloudFront signer with Python Boto client?

Question

I have been working on S3 storage application using python boto client. Client requests pre-signed upload (Pre-signed PUT) and download (Pre-signed GET) URLs from server for files.

Using boto3 s3 session, this can be done using

response = session.generate_presigned_url(
    "put_object",
    Params={
        "Bucket": client.aws_bucket,
        "Key": s3_object,
    },
    ExpiresIn=client.url_expiration,
)

However, now I am trying to achieve the same using CloudFront apis of boto3. I followed this example to generate a download URL. (Keys are setup in aws console as documentation suggested).

If I upload using s3 pre-signed PUT URL, I cannot download the file generated via CloudFront pre-signed URL. It leads to the following error (some hash values have been changed to hide details):

<Error>
<Code>SignatureDoesNotMatch</Code>
<Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message>
<AWSAccessKeyId>removed access key</AWSAccessKeyId>
<StringToSign>AWS4-HMAC-SHA256 20200909T010545Z 20200909/us-east-1/s3/aws4_request dec845474b8be721379ebb7b43a31ad34c658eaf3c9668a428fc0bc0dff02b63</StringToSign>
<SignatureProvided>cd87ad2fc7d6248f8046dbda7aa3db8914c8704d2ab4e939aeeecabf98c8ea37</SignatureProvided>
<StringToSignBytes>41 57 53 34 2d 48 4d 41 43 2d 53 48 41 32 35 36 0a 32 30 32 30 30 39 30 39 54 30 31 30 35 34 35 5a 0a 32 30 32 30 30 39 30 39 2f 75 73 2d 65 61 73 74 2d 31 2f 73 33 2f 61 77 73 34 5f 72 65 71 75 65 73 74 0a 64 65 63 38 34 35 34 37 34 62 38 62 65 37 32 31 33 37 39 65 62 62 37 62 34 33 61 33 31 61 64 33 34 63 36 35 38 65 61 66 33 63 39 36 36 38 61 34 32 38 66 63 30 62 63 30 64 66 66 30 32 62 36 33</StringToSignBytes>
<CanonicalRequest>GET somefile.png host:example.com x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 x-amz-date:20200909T010545Z host;x-amz-content-sha256;x-amz-date e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855</CanonicalRequest>
<CanonicalRequestBytes>47 45 54 0a 2f 62 33 64 61 61 37 37 62 34 63 30 34 61 39 35 35 31 62 38 37 38 31 64 30 33 31 39 31 66 65 30 39 38 66 33 32 35 65 36 37 2f 73 73 2e 70 6e 67 0a 0a 68 6f 73 74 3a 62 6f 69 6e 67 2e 70 61 6e 61 63 65 61 68 65 61 6c 74 68 2e 61 69 0a 78 2d 61 6d 7a 2d 63 6f 6e 74 65 6e 74 2d 73 68 61 32 35 36 3a 65 33 62 30 63 34 34 32 39 38 66 63 31 63 31 34 39 61 66 62 66 34 63 38 39 39 36 66 62 39 32 34 32 37 61 65 34 31 65 34 36 34 39 62 39 33 34 63 61 34 39 35 39 39 31 62 37 38 35 32 62 38 35 35 0a 78 2d 61 6d 7a 2d 64 61 74 65 3a 32 30 32 30 30 39 30 39 54 30 31 30 35 34 35 5a 0a 0a 68 6f 73 74 3b 78 2d 61 6d 7a 2d 63 6f 6e 74 65 6e 74 2d 73 68 61 32 35 36 3b 78 2d 61 6d 7a 2d 64 61 74 65 0a 65 33 62 30 63 34 34 32 39 38 66 63 31 63 31 34 39 61 66 62 66 34 63 38 39 39 36 66 62 39 32 34 32 37 61 65 34 31 65 34 36 34 39 62 39 33 34 63 61 34 39 35 39 39 31 62 37 38 35 32 62 38 35 35</CanonicalRequestBytes>
<RequestId>14670F5525B7189A</RequestId>
<HostId>2xVb5KggcsomehostidpartJjLHVlD0ZDA7TIMWuThXJyYrR/B9g3+RbhPZ7xjoHzKGI=</HostId>
</Error>

Is there a way to generate pre-signed PUT URLs using CloudFront APIs? I could not find anything that is useful. Or should the client always upload using the pre-signed PUT URL generated using s3 session object?

Answer 1

After looking for a few days, I finally noticed the mistakes. From cloudFront control, the policy had to include both PutObject and GetObject. This allowed using the same URL with both PUT and GET methods to upload and download files respectively.

        "Action": [
            "s3:PutObject",
            "s3:GetObject"
        ]

Also there seemed to be an issue when copying the *.pem file containing key, downloading the file again, and replacing the old one removed the authentication issues.