Aws::S3::Object#presigned_url does not allow :secure option

[steventen]

Hi, there

It looks like the #presigned_url method for s3 object does not allow :secure option to pass in.

Is there a reason for that?

Thanks

[awood45]

It works for me (examples from aws.rb):

s3.resource.bucket('foo').object('bar').presigned_url(:get) #=> "https://foo.s3.amazonaws.com/bar?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAKEY%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20160427T163755Z&X-Amz-Expires=900&X-Amz-SignedHeaders=host&X-Amz-Signature=dfb94310e64c5352534891e574cba7ce6e0e740f649053b173820014d28f92a2"

s3.resource.bucket('foo').object('bar').presigned_url(:get, secure: false) #=> "http://foo.s3.amazonaws.com/bar?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAKEY%2F20160427%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20160427T163803Z&X-Amz-Expires=900&X-Amz-SignedHeaders=host&X-Amz-Signature=22a965dd9cedbaf468e26d612c2dffa8586173860180747e39616a01f6cc0d6d"

What version are you using? The confusion may be the fact that you're not seeing :secure in that method, because it isn't applied until we get to the client presigner. If that's the case, I could see the use of a doc change.

[steventen]

Yeah, the doc does not mention that.

Also if I set virtual_host: true, it seems like I can not use https?

[awood45]

That's correct. I'm not sure off the top of my head why that was, let me get back to you on that.

[awood45]

#786 has the extended discussion on why you can't use HTTPS with virtual hosts. In short, because missing security certificates in those cases. Do you have a case where you need HTTPS for virtual hosts?

[steventen]

@awood45 thanks for the quick reply.

I found I may misunderstood this virtual host thing.

So we are trying move from v1 to v2. With v1, we have code like this:

object.url_for(:read, expires: 7.days.to_i, secure: true, endpoint: '...', force_path_style: true)

Since the url_for method is removed in v2, I started to use presigned_url, and I didn't see the endpoint option there, so I thought I could use virtual_host to achieve it (by using the hostname as the bucket name).

Now looks like I can just pass the endpoint in Aws::S3::Resource.new, and then presigned_url could generate the similar thing like url_for without using virtual_host?

Aws::S3::Resource.new(endpoint: '...').bucket('foo').object('bar').presigned_url(...)

[trevorrowe]

@steventen Can you provide more context to why and what you were providing as :endpoint in your v1 #url_for call? Normally, you should not configure the :endpoint for an S3 client or resource object. The endpoint is constructed for you from the :region option. The endpoint option exists primarily for testing against non-s3 hosts, e.g. local testing against mock S3 implementations.

The :virtual_host option enables using the bucket name as the host. This is limited to http (no https) because of issues with verifying the SSL peer certificate.

[steventen]

So we want to provide customers with download links for the files stored in s3. And these links must have expiration time. We want to use our own domain name for these links.

We haven't really enabled the endpoint thing in v1 in production, before switching to v2. It just run successfully in tests (now I understand it is just kind of designed for test.)

So looks like in order to acheive what we want, we have to use the domain name as the bucket name, and we can only use http?

[trevorrowe]

@steventen Thats correct. Your bucket name must be the cname you register as the virtual host. In addition to that, the request would have to be HTTP, not HTTPs.

[AndrewVos]

@awood45 I have a use case where I want to serve virtual host content behind a cloudfront distribution with https enabled. Know of any workaround for this?

Not very useful but the code is here: https://github.com/AndrewVos/anmo/blob/master/app/controllers/aws_controller.rb#L23