Problem
The auth module only supports header-based SigV4 authentication (the Authorization header). When no Authorization header is present, the request is treated as anonymous.
AWS S3 presigned URLs encode the signature in query parameters instead:
X-Amz-AlgorithmX-Amz-CredentialX-Amz-DateX-Amz-ExpiresX-Amz-SignedHeadersX-Amz-SignatureX-Amz-Security-Token (for temporary credentials)
Currently these are ignored, so presigned URLs generated with STS credentials are treated as anonymous requests.
Why it matters
Presigned URLs are commonly used for:
- Direct
<img>/<a> tags in browsers (can't set Authorization header)
- Sharing time-limited download links for restricted data
- Any context where the HTTP client can't set custom headers
Without this, the STS credential flow only works for SDK-based requests that set the Authorization header.
What needs to change
-
resolve_identity() in auth/identity.rs — when the Authorization header is absent, check query parameters for X-Amz-Algorithm=AWS4-HMAC-SHA256 before falling back to anonymous.
-
parse_sigv4_auth() in auth/sigv4.rs — add a parallel code path (or new function) to extract credential, signed headers, and signature from query parameters instead of the header.
-
Signature verification — presigned URL canonical requests differ from header-based ones:
- The
X-Amz-Signature parameter is excluded from the canonical query string
- The payload hash is always
UNSIGNED-PAYLOAD
- Expiration (
X-Amz-Expires) must be validated
-
Credential resolution — the existing CredentialRegistry + TokenKey resolver should work as-is once the access key is extracted from the query string.
References
Problem
The auth module only supports header-based SigV4 authentication (the
Authorizationheader). When noAuthorizationheader is present, the request is treated as anonymous.AWS S3 presigned URLs encode the signature in query parameters instead:
X-Amz-AlgorithmX-Amz-CredentialX-Amz-DateX-Amz-ExpiresX-Amz-SignedHeadersX-Amz-SignatureX-Amz-Security-Token(for temporary credentials)Currently these are ignored, so presigned URLs generated with STS credentials are treated as anonymous requests.
Why it matters
Presigned URLs are commonly used for:
<img>/<a>tags in browsers (can't setAuthorizationheader)Without this, the STS credential flow only works for SDK-based requests that set the
Authorizationheader.What needs to change
resolve_identity()inauth/identity.rs— when theAuthorizationheader is absent, check query parameters forX-Amz-Algorithm=AWS4-HMAC-SHA256before falling back to anonymous.parse_sigv4_auth()inauth/sigv4.rs— add a parallel code path (or new function) to extract credential, signed headers, and signature from query parameters instead of the header.Signature verification — presigned URL canonical requests differ from header-based ones:
X-Amz-Signatureparameter is excluded from the canonical query stringUNSIGNED-PAYLOADX-Amz-Expires) must be validatedCredential resolution — the existing
CredentialRegistry+TokenKeyresolver should work as-is once the access key is extracted from the query string.References