Home/ Questions/Q 6538171
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-25T10:42:16+00:00

I am reading the documentation of passing a querystring to Amazon’s S3 for authentication,

  • 0

I am reading the documentation of passing a querystring to Amazon’s S3 for authentication, and can’t seem to grok how exactly the StringToSign is created and used. I am looking for a concrete example to illustrate (1) how to construct the StringToSign, and (2) once I have the signature, how to call the form.

For example’s sake, let’s say the following is my information:

Content-type='image/jpeg'
Bucket='test-bucket'
Key = 'filename'
ACL = 'public-read'
Expiration = '(never expires)'
Access Key = '12345'
Secret Password = '1a2b3c'
File = <file the user uploads>

How would I get the StringToSign value from this? And once I have that, how would I create the following form:

<form action="??" method="post" enctype='multipart/form-data' class="upload-form">
    <input name="file" type="file"> 
</form>

And for reference: http://docs.amazonwebservices.com/AmazonS3/latest/dev/index.html?RESTAuthentication.html#RESTAuthenticationQueryStringAuth. Thank you.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Based on what you described, it seems like you want to support browser-based uploads using POST. There is a section of the AWS documentation which talks about this.

    As an overview keep in mind you’ll either have to make your bucket publically writeable or include a policy document. I’ll assume you’ll be including a policy document (check the docs if you don’t want to):

    A policy document is just a fragment of JSON that is used to authenticate the request, and gives a bunch of conditions that must be met before data is uploaded. E.g:

    "expiration": "2020-12-01T12:00:00.000Z",
"conditions": [
    {"acl": "public-read" },
    {"bucket": "test-bucket" },
    ["eq", "$key", "filename"],
  ]
}

    This says the action to upload will be allowed until 2020, given that the bucket is only publically readable, the bucket name is ‘test-bucket’ and the key is exactly equal to ‘filename’.

    Now, to construct your signature you take the above JSON doc, UTF-8 encode it and then base64 that and then sign the whole thing using your secret access key (using hmac sha1) and finally base64 that whole thing

    policy_data = ... # stuff above
enc_policy = base64.b64_encode(policy_data.encode('utf8'))
signed = base64.b64_encode(hmac.new(AWS_SECRET, enc_policy, hashlib.sha1))

    Then finally, your form would look something like this:

     <form action="http://test-bucket.s3.amazonaws.com/" method="post" enctype="multipart/form-data">
    Key to upload: <input type="input" name="key" value="filename" /><br />
    <input type="hidden" name="acl" value="public-read" />
    <input type="hidden" name="success_action_redirect" value="http://test-bucket.s3.amazonaws.com/successful_upload.html" />
    Content-Type: <input type="input" name="Content-Type" value="image/jpeg" /><br />
    <input type="hidden" name="AWSAccessKeyId" value="YOUR_ACCESS_KEY_ID" />
    <input type="hidden" name="Policy" value="<enc_policy from above>" />
    <input type="hidden" name="Signature" value="<signed from above>" />
    File: <input type="file" name="file" /> <br />
    <!-- The elements after this will be ignored -->
    <input type="submit" name="submit" value="Upload to Amazon S3" />
  </form>
    • 0