getSignedUrl with SSE-C key always return url with SignatureDoesNotMatch response

[apaajabolehd]

Confirm by changing [ ] to [x] below:

• [x ] I've gone through Developer Guide and API reference
• [x ] I've checked AWS Forums and StackOverflow for answers
• This is an issue with version 2.x of the SDK

I have a running application using these codes

AWS.config.update({region: 'ap-southeast-1', signatureVersion: 'v4'});
var s3Param = {
	params: {
		Bucket: config.s3bucketName,
		ACL: 'public-read'
	}
}
		
var s3 = new AWS.S3(s3Param);

s3.putObject({
  Body: 'Hello S3',
  Key: 'test.txt'
}, (err) => {
  s3.getSignedUrl('getObject', {
    Key: 'test.txt',
  }, (err, data) => {
    console.log(data)
  })
})

there are no problem and I able to see the file.

But I want to encrypt the data with SSE-C, so I tried to add some params on upload and get process.
So I came up with these codes

const ssecKey = Buffer.alloc(32, 'my key')

s3.putObject({
  Body: 'Hello S3',
  Key: 'test.txt',
  SSECustomerAlgorithm: 'AES256',
  SSECustomerKey: ssecKey,
  SSECustomerKeyMD5: md5(ssecKey)
}, (err) => {
  s3.getSignedUrl('getObject', {
    Key: 'test.txt',
    Expires: 18000,
    SSECustomerAlgorithm: 'AES256',
    SSECustomerKey: ssecKey,
    SSECustomerKeyMD5: md5(ssecKey)
  }, (err, data) => {
    console.log(data)
  })
})

But unfortunately, I always got the same result.

SignatureDoesNotMatch
The request signature we calculated does not match the signature you provided. Check your key and signing method.
AKIAV3HKEMHQANF3QGJP
AWS4-HMAC-SHA256 20211118T052000Z 20211118/ap-southeast-1/s3/aws4_request 4b7f335c098ef6bd55e7c1c91ccdcf6aa7c2c55dd620dd932be92f1cb5011f63
dbf48d5495b4aa8a7fcda399dd0f8fe3d3914655118c56679c97da317402c74e
41 57 53 34 2d 48 4d 41 43 2d 53 48 41 32 35 36 0a 32 30 32 31 31 31 31 38 54 30 35 32 30 30 30 5a 0a 32 30 32 31 31 31 31 38 2f 61 70 2d 73 6f 75 74 68 65 61 73 74 2d 31 2f 73 33 2f 61 77 73 34 5f 72 65 71 75 65 73 74 0a 34 62 37 66 33 33 35 63 30 39 38 65 66 36 62 64 35 35 65 37 63 31 63 39 31 63 63 64 63 66 36 61 61 37 63 32 63 35 35 64 64 36 32 30 64 64 39 33 32 62 65 39 32 66 31 63 62 35 30 31 31 66 36 33

Is there anything I did wrong? thank you in advance.

[ajredniwja]

Can you please refer to #2117

You can find a complete example on how you can use SSE-C for getSignedUrl.

[apaajabolehd]

Can you please refer to #2117

You can find a complete example on how you can use SSE-C for getSignedUrl.

I see, so I have to do a http request with header to get the data. So, that means I can't get the final URL for the decrypted one, right? Is there any way I can get the final URL for the decrypted one? maybe using another SSE type?