I encounter a SignNotMatch when I generate a presigned url with boto3 with the code below:
session = Session(access_key, secret_key)
s3 = session.client('s3', endpoint_url=OSS_ENDPOINT, config=Config(signature_version='s3v4'))
url = s3.generate_presigned_url(
ClientMethod='get_object',
Params={
'Bucket': bucket,
'Key': key
}
)
And then parse the request and resign(use AWS Go SDK signer.Presign) it in our proxy, and I always get a not match error.
Then I open the debug mode in boto3 and add log in AWS Go SDK, and found that when they calculate Canonical Request they use different way:
Canonical Request:
HTTP Verb + '
' +
Canonical URI + '
' +
Canonical Query String + '
' +
Signed Headers + '
' +
"UNSIGNED-PAYLOAD"
In Go AWS SDK it will put X-Amz-Content-Sha256=UNSIGNED-PAYLOADin Canonical Query String by default while boto3 will not.
Is it supposed to or I use it in a wrong way?