S3 Signed URL for Custom Domain Results in `SignatureDoesNotMatch`

[eacet]

Checkboxes for prior research

• I've gone through Developer Guide and API reference
• I've checked AWS Forums and StackOverflow.
• I've searched for previous similar issues and didn't find any solution.

Describe the bug

I am generating a signed URL using @aws-sdk/client-s3 and @aws-sdk/s3-request-presigner for a custom domain mapped to my S3 bucket. However, when I call the signed URL, I receive a 403 Forbidden response with the following error:

Error Code: SignatureDoesNotMatch  
Error Message: The request signature we calculated does not match the signature you provided. Check your key and signing method.  

Regression Issue

• Select this option if this issue appears to be a regression.

SDK version number

@aws-sdk/client-s3@3.701.0, @aws-sdk/s3-request-presigner@3.701.0

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

nodejs18.x

Reproduction Steps

1. Code Used to Generate Signed URL:

import { S3, GetObjectCommand } from '@aws-sdk/client-s3';
import { getSignedUrl } from '@aws-sdk/s3-request-presigner';

async function buildSignedUrl() {
    const s3 = new S3({
        region: 'eu-west-1',
        bucketEndpoint: true,    
});

    const command = new GetObjectCommand({
        Bucket: 'my-custom-domain',
        Key: 'my-file-key',
    });

    const signedUrl = await getSignedUrl(s3, command, { expiresIn: 3600 });
    console.log(signedUrl);
    return signedUrl;
}

2. Signed URL is generated successfully and appears correct.
3. Calling the Signed URL using curl or a browser results in:

<Error>
  <Code>SignatureDoesNotMatch</Code>
  <Message>The request signature we calculated does not match the signature you provided.</Message>
</Error>

Observed Behavior

Signed URL results in a 403 Forbidden with SignatureDoesNotMatch.

Expected Behavior

It should download file.

Possible Solution

No response

Additional Information/Context

No response

[aBurmeseDev]

Hi @eacet - thanks for reaching out.

I'm not able to reproduce this error on my end with the code below. One suggestion is to try using endpoint and forcePathStyle in client config instead of bucketEndpoint. If issue persists, please share the request logs by adding this middleware stack to client?

import { S3Client, GetObjectCommand } from '@aws-sdk/client-s3'
import { getSignedUrl } from '@aws-sdk/s3-request-presigner'

const s3Client = new S3Client({
    region:"us-west-1",
    bucketEndpoint: true, // remove
   // forcePathStyle: true,
   // endpoint: 'http://customS3Endpoint.com'
});

const url = await getSignedUrl(s3Client, new GetObjectCommand({
    Bucket: 'https://your-bucket-name.s3.amazonaws.com',
    Key: 'foo.txt',
}), { expiresIn: 3600 });

console.log(url);

[github-actions]

This issue has not received a response in 1 week. If you still think there is a problem, please leave a comment to avoid the issue from automatically closing.

[github-actions]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.