After gathering the individual pieces of this puzzle, I was able to create this Ruby method that properly signs a query string url using the aws secret key.

My resources for this:

• RESTObjectGET documentation
• Signing and Authenticating REST Requests

Also, the response back from S3 was helpful, because when I created a url with a bad signature, the response showed the string_to_sign that AWS S3 generated from deciphering the URL I generated. After a few iterations I was able to converge on the correct formatting of the string_to_sign and after that it was pretty standard stuff.

Here is the Ruby method:

##############################################################################
# Create a signed query-string URL that supports setting response headers
##############################################################################
def s3_signed_url(bucket, pathname, verb, content_md5=nil, content_type=nil, response_headers = {})
  expires = Time.now + 5.minutes
  response_headers_canonicalized = response_headers.sort_by{|key, value| key.downcase}.collect{|key, value| "#{key}=#{value}"}.join("&").to_s
  string_to_sign = "#{verb.upcase}\n#{content_md5}\n#{content_type}\n#{expires.to_i}\n/#{bucket}/#{pathname}?#{response_headers_canonicalized}"

    digest = OpenSSL::Digest::Digest.new('sha1')
  hmac = OpenSSL::HMAC.digest(digest, aws_secret_key, string_to_sign)
  signature = Base64.encode64(hmac).chomp
  url = "http://s3.amazonaws.com/#{bucket}/#{pathname}?"
  if response_headers.count > 0
    response_headers.each do |key, value|
      url += "#{key}=#{value}&"
    end
  end
  url += "AWSAccessKeyId=#{aws_access_key}&Expires=#{expires.to_i}&Signature=#{CGI.escape(signature)}";
  return url
end

And you call the method like this:

file_url_s3 = s3_signed_url(file_bucket, file_path, 'GET', nil, nil, {'response-content-disposition' => 'attachment'})