s3 generated_presigned_url ignores IfNoneMatch

[rittneje]

Describe the bug

I created a presigned S3 upload URL like so:

url = s3.generate_presigned_url('put_object', ExpiresIn=3600, Params={'Bucket':'<bucket>', 'Key': '<filename>', 'IfNoneMatch': '*'})

However, the IfNoneMatch is not reflected in the resulting presigned URL at all. Attempting to use it when the file in question already exists does NOT result in an error. And if I manually specify the If-None-Match header when I do the upload, it fails with the following error message:

Requests specifying conditional writes either require AWS Signature Version 4 or must be made over a secure connection.

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

Specifying IfNoneMatch needs to be reflected in the presigned URL and honored by the resulting upload.

The user of the presigned URL should not need to specify the If-None-Match header as this defeats the whole point.

Current Behavior

See above.

Reproduction Steps

See above.

Possible Solution

No response

Additional Information/Context

No response

SDK version used

1.35.74

Environment details (OS name and version, etc.)

n/a

[rittneje]

For reference, I am able to get this to work correctly with botocore. So this is a bug in boto3 itself.

    session = boto3.session.Session()

    req = botocore.awsrequest.AWSRequest(
        method="PUT",
        url="https://<bucket>.s3.amazonaws.com/<filename>",
        data={},
        params={
            "If-None-Match": "*",
        },
        headers={},
    )

    botocore.auth.S3SigV4QueryAuth(session.get_credentials(), "s3", "us-east-1").add_auth(req)

    print(req.url)

[adev-code]

Hello @rittneje, thanks for reaching out. From the error snippet, it looks like SigV2 is being used. From my replication, I was able to get SigV4 that would contain AWS4-HMAC-SHA256 (https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html) like https://bucket-name.s3.us-east-2.amazonaws.com/test?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAXXXXXXX%2Fus-east-2%2Fs3%2Faws4_request&X-Amz-Date=20241XXXXXZ&X-Amz-Expires=360&X-Amz-SignedHeaders=host%3Bif-none-match&X-Amz-Signature=0f8af1XXXXX89c800c0d .
As per the workaround that you have mentioned, it specifically used SigV4. Please ensure that in the code you are specifying SigV4. If you have any questions please let me know. Thanks.

[adev-code]

Hi @rittneje, just a small addition to my previous response. You can set Config(signature_version="s3v4") to have Sig V4 https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html. If you have any questions, please let me know. Thanks.

[rittneje]

@adev-code Your reference says:

signature_version: The AWS signature version to use when signing requests. When necessary, Boto automatically switches the signature version to an appropriate value. The following values are recognized.

   s3v4
   (Default) Signature Version 4
   s3
   (Deprecated) Signature Version 2

So SigV4 is supposed to be the default. Why is it defaulting to SigV2?

In addition, even if I explicitly request SigV4, it still doesn't include the value for If-None-Match in the presigned URL. This means the consumer has to know to set the header, which defeats the whole point to having a presigned URL. So again the aforementioned workaround is still necessary until boto3 is fixed to do the right thing (and do it by default as the docs claim).