presigned url unmatching signature

mostafatouny · December 7, 2025, 9:29pm

Hello,
Apologize me if the question seemed noobie. I wasted hours trying to debug it.

If I copy a presigned put url from Tigris web interface, the following does successfully work

curl -X PUT --upload-file ~/Pictures/profile.jpg $URL

However, If I generate a presigned url from AWS CLI I get signature failure:

<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><Resource>/hidden-resonance-7222/cover-auc.jpg</Resource><RequestId>1765142028485770133</RequestId><Key>cover-auc.jpg</Key><BucketName>hidden-resonance-7222</BucketName></Error>[touny@touny-lenovo snippets]$

It is generated by

URL=$(aws s3 presign s3://hidden-resonance-7222/cover-auc.jpg --expires-in 3600  --endpoint-url https://t3.storage.dev)

executing aws configure yields

AWS Access Key ID [****************_lvN]: 
AWS Secret Access Key [****************0yEe]: 
Default region name [auto]: 
Default output format [json]:

and the access key does match the one I see in Tigris web interface.

I saw this but It does not seem relevant.

P.S. the working url generated from the web interface looks like:

https://hidden-resonance-7222.t3.storage.dev/cover-auc.jpg?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=tid_<I deleted this>_lvN%2F20251207%2Fauto%2Fs3%2Faws4_request&X-Amz-Date=20251207T213238Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=<I deleted this>

the failed url generated by AWS CLI look like

https://t3.storage.dev/hidden-resonance-7222/cover-auc.jpg?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=tid_<I deleted this>_lvN%2F20251207%2Fauto%2Fs3%2Faws4_request&X-Amz-Date=20251207T213420Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=<I deleted this>

mostafatouny · December 8, 2025, 11:44am

Update. Python’s SDK works.

Update. I used curl’s built-in aws sig v4 and the following did successfully work:

curl  --user "$AWS_ACCESS_KEY_ID":"$AWS_SECRET_ACCESS_KEY" \
      --aws-sigv4 "aws:amz:auto:s3" \
      --header "Content-Type: application/vnd.sqlite3" \
      --request PUT \
      --upload-file $BK_PATH \
      "https://${BUCKET_NAME}.t3.storage.dev/${OBJECT_KEY}"

Note. For the record, a developer may deploy a python app which generates presigned urls for her generic HTTP requests.

Note. I still don’t know why AWS CLI does not generate a correct signature.

jmj · December 8, 2025, 6:24pm

AWS CLI doesn’t support generating pre-signed URL for PUT operation. You can use other programming language SDKs to generate it.

mostafatouny · December 8, 2025, 6:39pm

Thank you for the note.

system · December 15, 2025, 6:40pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.