Upload document to S3 using PreSigned URL using AWS JDK 2.x not working

[GusMCoutinho]

Describe the issue

I'm trying to upload a document to S3 bucket using presigned url that was generated using JDK 1.8 / AWS Java SDK 2.17.108, but I'm having the error "The request signature we calculated does not match the signature you provided. Check your key and signing method."

Steps to Reproduce

Following is the piece of code I have to generate the presigned URL:

log.info("Object Key: {}", objectKey);
            PutObjectRequest putObjectRequest =
                    PutObjectRequest.builder()
                            .acl(ObjectCannedACL.PUBLIC_READ_WRITE)
                            .bucket(bucket)
                            .key(objectKey)
                            .contentDisposition("attachment;filename=\"" + filename + "\"")
                            .contentType("text/plain")
                            .serverSideEncryption(ServerSideEncryption.AES256)
                            .overrideConfiguration(override)
                            .build();
            PutObjectPresignRequest putObjectPresignRequest =
                    PutObjectPresignRequest.builder()
                            .signatureDuration(duration)
                            .putObjectRequest(putObjectRequest)
                            .build();
            PresignedPutObjectRequest presignedPutObjectRequest =
                    s3Presigner.presignPutObject(putObjectPresignRequest);

Note: I'm also using IAM user access keys in the S3Presigner.builder method.

Current behavior

I'm having the below errors:

AWS Java SDK version used

2.17.108

JDK version used

1.8

Operating System and version

N/A

[debora-ito]

@GusMCoutinho

Can you paste a generated URL in the comments? Please redact any sensitive information.

Presigned URLs work with query params to send values that would be usually sent by http headers.
The issue probably will be fixed if you add the acl, contentDisposition, contentType and serverSideEncryption as queryParams in the overrideConfiguration setting:

AwsRequestOverrideConfiguration override = AwsRequestOverrideConfiguration.builder()
    .putRawQueryParameter("x-amz-acl", "private")
    .putRawQueryParameter("x-amz-server-side-encryption", "AES256")
    .putRawQueryParameter("content-disposition", "attachment;filename=\"file.txt\"")
    .putRawQueryParameter("content-type", "text/plain")
    .build();

PutObjectRequest putObjectRequest = PutObjectRequest.builder()
    .bucket(BUCKET)
    .key(OBJECT)                        
    .overrideConfiguration(override)
    .build();

[GusMCoutinho]

Hi @debora-ito ,

The suggestion you made helped, I'm now facing "Access Denied", although i have policies for the role being used by our microservice that allows all actions to our s3 bucket. Contacted AWS and they suggested that it could be a policy at organization level and we are investigating that now.

Thank you

[GusMCoutinho]

@debora-ito ,

Do you know if it is required to add additional parameter regarding encrypting to generate presigned url?

Note: The bucket where we want to upload documents uses KMS encryption (custom managed key created by us).

Thank you

[debora-ito]

Yes, you need to add the parameters related to the server-side encryption you want to use.

One way to know which params to include is to execute a working PutObjectRequest with the required encryption settings, enable the verbose wirelogs (see instructions here) and check which x-amz-server-side-encryption-* headers are sent in the request. The same headers need to be added as query params to the presigned URL.

[rizthetechie]

Amazon really need to get their documents right, so many people facing this issue. No where on their document i could find the solution to this

[bubaigit]

Hi I am using AWS SDK - 2x with below POM configuration. The Preassigned URL code we use - will successfully generated the link but when we click the Link - it will show below error -

<Code>SignatureDoesNotMatch</Code> <Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message> <AWSAccessKeyId>ASIAWHB6CBAUK5XMNCDB</AWSAccessKeyId> <StringToSign>AWS4-HMAC-SHA256 20250116T062638Z 20250116/us-east-2/s3/aws4_request 042b6840c5545b903f3c841ff36d04d4354dd883e03e49c2b50752d343101e81</StringToSign> <SignatureProvided>575e902f666f969baff2b4dcd0a16420f1bf7d18597224c839741ce13cdfa8d9</SignatureProvided>

we will use - software.amazon.awssdk version - 2.20.0 / spring-boot-starter-parent - 3.3.7 / JDK 21

POM File

pom.txt

Bucket Setting

Tried with Content-Type for the bucket CORS setting and
*

The Java code

`
public String generatePreSignedUrl(String bucketname, String fileKey, S3Client s3Client) {

	LOGGER.info("bucketname and fileKey: {} {}", bucketname, fileKey);
	
           String downloadUrl = null;

	AwsRequestOverrideConfiguration override = AwsRequestOverrideConfiguration
			.builder()
			.putRawQueryParameter("x-amz-acl", "private")
			.putRawQueryParameter("x-amz-server-side-encryption", "AES256")
			.putRawQueryParameter("content-disposition", "attachment;filename=\"file.zip\"")
			.putRawQueryParameter("content-type", "application/zip")
			.build();

	S3Presigner presigner = S3Presigner.builder()
			.region(Region.US_EAST_2) // Specify the region
			.credentialsProvider(DefaultCredentialsProvider.create())
			.build();

	GetObjectRequest getObjectRequest = GetObjectRequest.builder()
			.bucket(bucketname) // Replace with the bucket name
			.key(fileKey) // Replace with the object key
			.overrideConfiguration(override)   // we tried with or without 
			.build();

	GetObjectPresignRequest presignRequest = GetObjectPresignRequest.builder()
			.getObjectRequest(getObjectRequest)
			.signatureDuration(Duration.ofDays(5)) // Set duration for 5 days
			.build();

	PresignedGetObjectRequest presignedRequest = presigner.presignGetObject(presignRequest);

	
	downloadUrl = presignedRequest.url().toString();

	presigner.close();

	
	return downloadUrl;
}

`

`