s3.WithPresignExpires introduces additional http header

[qsun0621]

Acknowledgements

• I have searched (https://github.com/aws/aws-sdk/issues?q=is%3Aissue) for past instances of this issue
• I have verified all of my SDK modules are up-to-date (you can perform a bulk update with go get -u github.com/aws/aws-sdk-go-v2/...)

Describe the bug

When we call func "PresignGetObject" to generate a presigned URL, we need to provide the expiration time.
The presigned URL can be used directly when we specific the expiration time using

func(opts *s3.PresignOptions) {
		opts.Expires = time.Duration(lifetimeSecs * int64(time.Second))
	}

However when we use s3.WithPresignExpires() func, it introduced another header "Amz-Sdk-Request":["attempt=1; max=3"] in the presigned HTTP request, which makes the direct GET on the URL without header always returning a signature not match error.

Expected Behavior

s3.WithPresignExpires() does not add the additional retry header

Current Behavior

s3.WithPresignExpires() adds the additional retry header

Reproduction Steps

PresignGetObject(ctx, &s3.GetObjectInput{
Bucket: aws.String(bucket),
Key: aws.String(key),
}, s3.WithPresignExpires(expiresIn))

Possible Solution

No response

Additional Information/Context

No response

AWS Go SDK V2 Module Versions Used

v1.30.3

Compiler and Version used

go1.22.5 darwin/arm64

Operating System and version

Sonoma 14.6.1

[RanVaknin]

Hi @qsun0621,

I'm not seeing the extra header being added:

	input := &s3.GetObjectInput{
		Bucket: aws.String("testbucket-REDACTED"),
		Key:    aws.String("foo.txt"),
	}

   signedRequest, err := presigner.PresignGetObject(context.TODO(), input, func(options *s3.PresignOptions) {
		options.Expires = 35 * time.Minute
   })

Results in:

https://testbucket-REDACTED.s3.us-east-1.amazonaws.com/foo.txt?
X-Amz-Algorithm=AWS4-HMAC-SHA256&
X-Amz-Credential=REDACTED/20240814/us-east-1/s3/aws4_request&
X-Amz-Date=20240814T194525Z&
X-Amz-Expires=2100&
X-Amz-SignedHeaders=host&
x-id=GetObject&
X-Amz-Signature=REDACTED

And with WithPresignExpires():

	input := &s3.GetObjectInput{
		Bucket: aws.String("testbucket-REDACTED"),
		Key:    aws.String("foo.txt"),
	}

    signedRequest, err := presigner.PresignGetObject(context.TODO(), input, s3.WithPresignExpires(35*time.Minute))

Results in:

https://testbucket-REDACTED.s3.us-east-1.amazonaws.com/foo.txt?
X-Amz-Expires=2100&
X-Amz-SignedHeaders=host&
x-id=GetObject&
X-Amz-Signature=REDACTED&
X-Amz-Algorithm=AWS4-HMAC-SHA256&
X-Amz-Credential=REDACTED/20240814/us-east-1/s3/aws4_request&
X-Amz-Date=20240814T194852Z

As you can see the presigned request is being generated with the exact same parameters.

"Amz-Sdk-Request":["attempt=1; max=3"] in the presigned HTTP request, which makes the direct GET on the URL without header always returning a signature not match error.

This would not be the case unless amz-sdk-request is included under the SignedHeaders request parameter in the URL which indicates the SDK explicitly signed the request using this value header.

Can you please include a complete code snippet of how you are generating and using the presigned URL?

Thanks,
Ran~

[lucix-aws]

Probably a duplicate of #2531

I have verified all of my SDK modules are up-to-date (you can perform a bulk update with go get -u github.com/aws/aws-sdk-go-v2/...)

[github-actions]

This issue is now closed. Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.