Acess Denied - Streaming a video via signed URL on Amazon S3

Im using S3 service as a video provider for my software(C#) that run's locally

For security issues I generate a Signed URL(Temporary URL) for the file and then pass to the video player, but the player only can read the link if i swap "="(equal) characters for "_"(underscore) as written here on this Thread: https://forums.aws.amazon.com/thread.jspa?messageID=245291 in a post from a Amazon employee.

And here starts my problem, when i send the video URL without changing this chars it doesn't work

If i don't change the chars but file permissions are "Authenticated users Only" i can reach the file but the video player can't because of the characters issue.

if i change the chars and send the URL to the player, it works only if file access permisions are "Everyone can read/change" and that makes my "security solution" a unsecure choice cause if someone get the URL he will have access to the file.

is that a bug from amazon? someone have a solution for this?

here goes a Singed URL example:

http://bucket-name.s3.amazonaws.com/video.flv?AWSAccessKeyId=AKIAILVSCA2AWHA7KM6Q&Expires=1307378448&Signature=FzWAI4dd8BfnzfCtbtAumQyiNvk%3D

here goes a Changed Characters Singed URL example:

http://bucket-name.s3.amazonaws.com/video.flv?AWSAccessKeyI开发者_开发知识库d_AKIAILVSCA2AWHA7KM6Q&Expires_1307378448&Signature=FzWAI4dd8BfnzfCtbtAumQyiNvk%3D

There are a number of things going on here.

Firstly, the link you provide is talking about Cloudfront urls. I don't think its possible to replace characters in S3 urls as discussed.

Secondly you shouldn't be changing the = signs directly after AWSAccessKeyId, Expires and Signature. The problem characters are only those that appear in the signature string. In your example the %3D at the end is = in url encoded from and that's what you need to change.

The problem though, is that if you change that character, the signature is no longer valid and that's why private content is no longer accessible. Public content would be accessible as the authentication part of the url is just ignored by Amazon.

I ran into a similar problem with a Silverlight based video player that failed if there were + (%2b) characters in the url. I solved this by just generating a new url in a loop until I had one that didn't have invalid characters. The key is to change the expiry time slightly in order change the generated signature.

Here's an example using the AWS SDK. (converted from vb.net so I hope the syntax is correct)

using (AmazonS3 client = Amazon.AWSClientFactory.CreateAmazonS3Client(AWSKey, AWSSecretKey)) {

    string url = null;

    int secs = 0;
    do {
        var req = new Model.GetPreSignedUrlRequest {
            BucketName = bucket,
            Key = key,
            Protocol = Model.Protocol.HTTP,
            Verb = Model.HttpVerb.GET,
            Expires = DateTime.Now.AddDays(ExpiryInDays).AddSeconds(secs)
        };

        url = client.GetPreSignedURL(req);

        secs += 1;
    } while (url.ToLower().Contains("%2b"));

    return url;

}

In my experience, the performance hit is negligible as generally only a couple of iterations are ever necessary to ensure a 'clean' url.