Docs: S3 Compatability: Get Presigned URL isn't authorized from client

[Vandivier]

EDIT: THE BELOW BUG REPORT IS SOLVED AND NOW IT IS A DOCS ENHANCEMENT ISSUE. SEE FINAL COMMENT FOR INFO

Description

Supabase Storage currently uses a JWT-based token system for presigned URLs, which differs from the AWS S3 standard that uses AWSAccessKeyId, Signature, and Expires query parameters. This makes it difficult to integrate applications that expect AWS-style presigned URLs.

Steps to Reproduce

Generate a presigned URL for a Supabase storage object.
Compare it with an AWS S3-style presigned URL, which includes AWSAccessKeyId, Signature, and Expires.
Attempt to use an AWS-compatible library to fetch the object using the Supabase URL (it fails).

Expected Behavior

Supabase should provide an AWS S3-style presigned URL that can be loaded into a video element on the web client.

Actual Behavior

After communicating with Supabase, boto3 produces an AWS S3-style presigned URL but it cannot be loaded into the video element. A JWT-based presigned URL does work.

Workarounds & Challenges

Use the Supabase-specific storage/v1/object/sign API, but this requires implementing custom logic for handling tokens instead of using AWS SDKs directly.

Environment

Python 3.9.19
boto3 1.7.84
Developing on git bash, I don't think that matters though

Additional Context

see def get_videos() in
stephengpope/no-code-architects-toolkit@9723bfe

This feature would help users migrate from AWS S3 to Supabase Storage without breaking existing integrations.

Kinda related issues?
#544
#465

[Vandivier]

Also worth noting: I have Enable connection via S3 protocol enabled on this bucket
When I use the related endpoint, it tells me AccessDenied, Missing signature even though I'm including the signature following AWS query parameter convention (afaik?)

[Vandivier]

update + also related: #150

I am expecting AWS Signature Version 4, maybe that's my issue...not sure if Supabase support is aligned to that.

Edit: I don't see signature version in https://supabase.com/docs/guides/storage/s3/compatibility

also, the supabase AI didn't know "does supabase support AWS Signature Version 4?"

ChatGPT warns me "By default, boto3 may use Signature Version 2 (s3)..."

[Vandivier]

aaaaaaand that solved it! 🎉

explicitly setting signature version generates a supabase-respected s3 GET URL:

    return boto3.client(
        's3',
        endpoint_url=env_vars['S3_ENDPOINT_URL'],
        aws_access_key_id=env_vars['S3_ACCESS_KEY'],
        aws_secret_access_key=env_vars['S3_SECRET_KEY'],
        region_name=env_vars['S3_REGION'],
        config=Config(signature_version='s3v4')  # pretty important tbh
    )

I see that I can "Update this page on GitHub" so I will make a docs PR regarding:
https://supabase.com/docs/guides/storage/s3/compatibility

[fenos]

Yes, @Vandivier currently we only support the signature v4.
Strangely the Python S3 client still uses the old v3

I'm going to close this issue since it is working as expected with SignV4 👍

[Vandivier]

thanks @fenos - docs update ready for review:
supabase/supabase#33755

[riderx]

Do this work in local docker?
I try to create presign with AWS/s3 sdk and always get:
The request signature we calculated does not match the signature you provided. Check your key and signing method.