Signed URLs for accessing S3 private content not accessible from custom domain

Question

I am signing a private resource available on S3 to make it temporarily publicly available. This is what I get after signing the URL with the v3 version of the protocol:

http://s3.amazonaws.com/some.bucket.com/stuff/123/my.doc?AWSAccessKeyId=ABCDEFGHIJK1LMNOP1WE&Expires=1410526534&Signature=r6helf9WA0%2FOSvwbuwTqGJJ6u3c%3D

Suppose I want to replace s3.amazonaws.com with some other domain and for that purpose I enter new CNAME entry in my DNS settings (I map my.stuff.net to be an alias of s3.amazonaws.com.). If I now try to query the following URL, I will get elaborate description from Amazon that signature verification failed.

http://my.stuff.net/some.bucket.com/stuff/123/my.doc?AWSAccessKeyId=ABCDEFGHIJK1LMNOP1WE&Expires=1410526534&Signature=r6helf9WA0%2FOSvwbuwTqGJJ6u3c%3D

v3 signing doesn't include host name, so my guess is that signature is actually correct, but Amazon verifies from which domain is request coming and rejects everything not coming from s3.amazonaws.com.

Does anybody know if my guess is correct and if there's some workaround to that?

Answer 1

The bucket name must be the same as the CNAME

http://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html

So the hostname you point to bucketname.s3.amazonaws.com via the CNAME has to be the same as the bucket name. If the bucket's name isn't a valid DNS name, it doesn't work.

If you go that route, then you also need to remove the bucket name from the beginning of the path (not from the string-to-sign, but from the URL), because S3 reacts to the Host: header sent by the browser, to determine whether the request URI path begins with a bucket name or not.

That's the only way to do it without using a proxy to rewrite the request on its way to S3, which one alternative you might consider if the above doesn't apply.