Several questions and answers on SO and elsewhere have outlined possible solutions for resolving the SignatureDoesNotMatch error thrown when calling 'generate_presigned_url' from the boto3 SDK. Few are in boto3 and most answers suggest getting new credentials to resolve this exception. You can see more (but this is in PHP) here.
But these do not work for me, because I am using correct credentials and the correct bucket name and key path.
Originally, I was calling this to generate my client and then call generate_presigned_url.
client_s3 = boto3.client(
's3',
# Hard coded strings as credentials, not recommended.
aws_access_key_id='XXX',
aws_secret_access_key='XXX',
region_name='us-east-2',
# EDIT: Previously, I used signature_version='v4' here, but as a user here pointed out, this might not work. Regardless, I tried 's3v4' prior to trying 'v4' and neither worked for me.
config=Config(signature_version='s3v4')
)
url = client_s3.generate_presigned_url(
ClientMethod='get_object',
Params={
'Bucket': 'BUCKET_NAME',
'Key': 'CORRECT_KEY'
}
)
What could create this error when all of the parameters used are seemingly correct? How do I resolve it?
After seeing this AWS forum, I figured something fishy might be going on, but I really just wanted to resolve the issue with a secure solution.
My resolution is definitely not optimal for everyone, but it worked for me.
I copied everything from my bucket in 'us-east-2' into a new bucket in 'us-east-1' and I was able to access that bucket correctly with the exact same access/secret keys and bucket/key paths. I simply used:
client_s3 = boto3.client(
's3',
# Hard coded strings as credentials, not recommended.
aws_access_key_id='XXX',
aws_secret_access_key='XXX'
)
If you're like me and don't want to spend hours trying to decipher AWS's poor docs, just do this if you can. If you have a real solution, please add it here.
I still am unsure what causes this, but likely has something to do with the 'v4' signing method, which is region-dependent.