S
Supabase2w ago
scornflake

SignatureDoesNotMatch trying to access SB S3, using authenticated users session token

I'm trying to access SB S3 via an authenticaed users session token, using the approach outlined here: https://supabase.com/docs/guides/storage/s3/authentication#session-token I've verified that I can upload to a specific bucket using a normal accesskey/secret - but I'd prefer to use the users own credentials (JWT) instead of embedding secrets into the browser side. However; I am seeing a SignatureDoesNotMatch being thrown. In the logs: 
...
        "stack": "Error: The request signature we calculated does not match the signature you provided, Check your credentials. The session token should be a valid JWT token\n    at Object.SignatureDoesNotMatch (/app/dist/internal/errors/codes.js:171:39)\n    at Object.<anonymous> (/app/dist/http/plugins/signature-v4.js:82:36)"
      }
...
        "stack": "Error: The request signature we calculated does not match the signature you provided, Check your credentials. The session token should be a valid JWT token\n    at Object.SignatureDoesNotMatch (/app/dist/internal/errors/codes.js:171:39)\n    at Object.<anonymous> (/app/dist/http/plugins/signature-v4.js:82:36)"
      }
So I believe I'm calling it OK. My S3 config setup is: 
let credentials: {
            accessKeyId: string;
            secretAccessKey: string;
            sessionToken?: string;
        } = {
            accessKeyId: config.accessKeyId,
            secretAccessKey: config.secretAccessKey
        }
        if (config.accessKeyId === "vkfwaufurgmyfqrpmnoo") {
            credentials = {
                accessKeyId: "vkfwaufurgmyfqrpmnoo",
                secretAccessKey: 'anonKey',
                sessionToken: config.secretAccessKey
            }
            // console.log("Using secret access key: " + config.secretAccessKey);
        }
        this.s3Client = new S3Client({
            forcePathStyle: true,
            region: config.region,
            endpoint: config.endpoint,
            requestChecksumCalculation: "WHEN_REQUIRED", // to work around the S3 client trying to use the 'File' as a node based ReadableStream
            credentials: credentials,
        });
let credentials: {
            accessKeyId: string;
            secretAccessKey: string;
            sessionToken?: string;
        } = {
            accessKeyId: config.accessKeyId,
            secretAccessKey: config.secretAccessKey
        }
        if (config.accessKeyId === "vkfwaufurgmyfqrpmnoo") {
            credentials = {
                accessKeyId: "vkfwaufurgmyfqrpmnoo",
                secretAccessKey: 'anonKey',
                sessionToken: config.secretAccessKey
            }
            // console.log("Using secret access key: " + config.secretAccessKey);
        }
        this.s3Client = new S3Client({
            forcePathStyle: true,
            region: config.region,
            endpoint: config.endpoint,
            requestChecksumCalculation: "WHEN_REQUIRED", // to work around the S3 client trying to use the 'File' as a node based ReadableStream
            credentials: credentials,
        });
I am using the latest S3 library, in a vite/react project. Is there something I'm missing?
2 Replies
silentworks
silentworks2w ago
The error is saying the session token you are providing is not a valid JWT, so you need to make sure you are passing a valid JWT.
scornflake
scornflakeOP2w ago
It is valid. Turns out tho that I needed to pass the 'anonymous' (anon) key from my project. (Project Settings | API Keys | Legacy API Keys). That wasn't entirely clear to me, as I've only been using sb about 2wks tops.

Did you find this page helpful?