S3 GetPreSignedURL: X-Amz-Credential encodes forward slashes as 2%F which breaks the URL in some environments

[PaulDMendoza]

Describe the bug

When calling GetPreSignedURL the URL was generating an error in one of our environments in AWS but not others and works fine on my local machine.

After investigating the URL formats between my environments where the code works and the environment where it doesn't I realized there was a difference.

...&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=XXXXXXXXXXXXXXXX%2F20230827%2Fap-southeast-2%2Fs3%2Faws4_request&X-Amz-Date=20230827T043609Z&...

Expected Behavior

The S3 file download URL generated by GetPreSignedURL should work.

Current Behavior

The URL generates a SignatureDoesNotMatch XML error when attempting to download the file.

Reproduction Steps

I can only reproduce this in one of my environments. It works fine locally and in my various other environments in AWS. The environment where it fails is in ap-southeast-2.

var signedUrl = s3Client.GetPreSignedURL(new Amazon.S3.Model.GetPreSignedUrlRequest
{
BucketName = databaseserver.region_navigationproperty.CustomerDataBucket,
Key = fullKey,
Protocol = Amazon.S3.Protocol.HTTPS,
Expires = DateTime.UtcNow.AddMinutes(30),
Verb = Amazon.S3.HttpVerb.GET
});

Possible Solution

When I replace the %2F in the X-Amz-Credential and then try the URL it works.

...&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=XXXXXXXXXXXXXXXX/20230827/ap-southeast-2/s3/aws4_request&X-Amz-Date=20230827T043609Z&...

I ended up writing a function to fix the URL query string parameter X-Amz-Credential.

      var fixedSignedUrl = ReplaceEncodedForwardSlashInXAmzCredential(signedUrl);


      public static string ReplaceEncodedForwardSlashInXAmzCredential(string url)
        {
            var regex = new Regex(@"X-Amz-Credential=(?<credential>[^&]*)");
            var match = regex.Match(url);
            if (match.Success)
            {
                var credential = match.Groups["credential"];
                if(credential.Value.Contains("%2F") || credential.Value.Contains("%2f"))
                {
                    var fixedCredential = credential.Value.Replace("%2F", "/").Replace("%2f", "/");
                    url = url.Replace(credential.Value, fixedCredential);
                }
            }

            return url;
        }

Additional Information/Context

No response

AWS .NET SDK and/or Package version used

AWSSDK.S3 3.7.203.1
AWSSDK.Core 3.7.201.6

Targeted .NET Platform

.NET Core 6

Operating System and version

AmazonLinux

[PaulDMendoza]

Nevermind. I figured out the problem. The URL was fine. The URL was being modified in the browser by another script.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.