Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

AWS Authentication fails with InvalidSignatureException

See original GitHub issue

I’m having trouble getting the AWS sigv4 authentication working as described in https://httpyac.github.io/guide/variables.html#aws-signature-v4. I keep getting a response like

The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.\n\nThe Canonical String for this request should have been …

Repro

I have two files, local.env and test.http

local.env

accessKeyId=MY_KEY_HERE
secretAccessKey=MY_SECRET_HERE
sessionToken=MY_SESSION_TOKEN_HERE

test.http

@awsUrl = https://MY_APP_ID.execute-api.us-west-2.amazonaws.com/prod

PUT {{awsUrl}}/echo
Authorization: AWS {{accessKeyId}} {{secretAccessKey}} token:{{sessionToken}}
content-type: application/json
{"message": "hello"}

What i’ve tried

I get the same issue if I substitute the variables from my environment into the test.http file
Verified the credentials work when I use awscurl (https://github.com/okigan/awscurl)
tried adding region:us-west-2 and service:execute-api to the authorization line (didn’t change the outcome)

More detail

VS Code: 1.68.1 httpYac - Rest Client extension: v5.5.1

From the “httpyac - request” window, the outgoing request looks like this:

PUT https://MY_APP_ID.execute-api.us-west-2.amazonaws.com/prod/echo
accept-encoding: gzip, deflate, br
accept: */*
authorization: AWS4-HMAC-SHA256 Credential=MY_KEY_HERE/20220623/us-west-2/execute-api/aws4_request, SignedHeaders=content-type;host;x-amz-date;x-amz-security-token, Signature=91cfc7b46d1466308423c2d2dfc62e5a48cd4d70db8faed7ab696167862f62dc
content-length: 20
content-type: application/json
host: MY_APP_ID.execute-api.us-west-2.amazonaws.com
user-agent: httpyac
x-amz-date: 20220623T075652Z
x-amz-security-token: MY_SESSION_TOKEN_HERE

{"message": "hello"}

response

HTTP/1.1 403  - Forbidden
connection: close
content-length: 1452
content-type: application/json
date: Thu, 23 Jun 2022 07:56:52 GMT
x-amzn-errortype: InvalidSignatureException
x-amzn-requestid: 77907a1c-6800-42dc-8887-6026a0d2e0da
x-amzn-trace-id: Root=1-62b41cc4-456a542c0def21f6652269f1

{"message":"The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.\n\nThe Canonical String for this request should have been\n'PUT\n/prod/echo\n\ncontent-type:application/json\nhost:MY_APP_ID.execute-api.us-west-2.amazonaws.com\nx-amz-date:20220623T075652Z\nx-amz-security-token:MY_SESSION_TOKEN_HERE\n\ncontent-type;host;x-amz-date;x-amz-security-token\ncf8f644b80ee8100db6f910fa33514be8e0ac3d3f54546de914b34c2206ad6a9'\n\nThe String-to-Sign should have been\n'AWS4-HMAC-SHA256\n20220623T075652Z\n20220623/us-west-2/execute-api/aws4_request\n670c4c7ba89357df2e024e3b5e0b2d917b3c111ded27e856d42638cecbf8da09'\n"}