Why AccessKeyId is included in s3 pre-signed URL?
Asked Answered
J

1

11

Why AccessKeyId is included in s3 pre-signed URL? Is it really necessary? The pre-signed URL already includes the Signature field, why it still requires the AccessKeyId as well? Wouldn't be the Signature sufficient?

Jarrodjarrow answered 5/4, 2019 at 22:7 Comment(0)
F
13

The signature is used to prove two things:

  • that the signer authorizes this specific request, and
  • that the signer was in possession of the secret key associated with the specified access-key-id.

Importantly... the signature does not actually contain any meaningful information. It's either right or it's wrong.

It's an HMAC-based hash of public (the request being made) and private (the secret key) information. The service doesn't "decode" it or interpret it or learn anything from it.

Instead, the service -- using the access-key-id -- looks up the associated secret key,¹ takes the request; and internally generates the signature you should have generated for the same request... then it checks to see if that's what you actually generated.² If not, the error is SignatureDoesNotMatch. The error is not more specific because the signature for any given request at any moment in time has only one possible value. Any other signature is simply the wrong signature.

But the access-key-id must be specified so the service knows who's making the request. The signature does not contain any reversible/decodable/decryptable information.


¹ looks up the associated secret key is probably an oversimplification when using Signature Version 4 because there are layers of (date, region, service, signing) keys derived from the IAM user's secret key... and the structure and nesting implies that individual services have access only to the relevant values they need.

² you generated is an important phrase, since there is some potential for misunderstanding of the source of pre-signed URLs. These are generated entirely in your code, with no interaction with the service. S3 is unaware of the existence of any pre-signed URLs until they are actually used. This has implications that can sometimes be useful; for example, it is entirely possible to generate a pre-signed URL for an object that does not yet exist, and create the object later. Also, disabling or deleting the aws-access-key-id that was used to generate a pre-signed URL immediately invalidates all URLs that key ever generated.

Flatboat answered 5/4, 2019 at 23:36 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.