question-mark

Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

AWS Authentication fails with InvalidSignatureException

See original GitHub issue

Issue Description

I’m having trouble getting the AWS sigv4 authentication working as described in https://httpyac.github.io/guide/variables.html#aws-signature-v4. I keep getting a response like

The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.\n\nThe Canonical String for this request should have been …

Repro

I have two files, local.env and test.http

local.env

accessKeyId=MY_KEY_HERE
secretAccessKey=MY_SECRET_HERE
sessionToken=MY_SESSION_TOKEN_HERE

test.http

@awsUrl = https://MY_APP_ID.execute-api.us-west-2.amazonaws.com/prod

PUT {{awsUrl}}/echo
Authorization: AWS {{accessKeyId}} {{secretAccessKey}} token:{{sessionToken}}
content-type: application/json
{"message": "hello"}

What i’ve tried

  • I get the same issue if I substitute the variables from my environment into the test.http file
  • Verified the credentials work when I use awscurl (https://github.com/okigan/awscurl)
  • tried adding region:us-west-2 and service:execute-api to the authorization line (didn’t change the outcome)

More detail

VS Code: 1.68.1 httpYac - Rest Client extension: v5.5.1

From the “httpyac - request” window, the outgoing request looks like this:

PUT https://MY_APP_ID.execute-api.us-west-2.amazonaws.com/prod/echo
accept-encoding: gzip, deflate, br
accept: */*
authorization: AWS4-HMAC-SHA256 Credential=MY_KEY_HERE/20220623/us-west-2/execute-api/aws4_request, SignedHeaders=content-type;host;x-amz-date;x-amz-security-token, Signature=91cfc7b46d1466308423c2d2dfc62e5a48cd4d70db8faed7ab696167862f62dc
content-length: 20
content-type: application/json
host: MY_APP_ID.execute-api.us-west-2.amazonaws.com
user-agent: httpyac
x-amz-date: 20220623T075652Z
x-amz-security-token: MY_SESSION_TOKEN_HERE

{"message": "hello"}

response

HTTP/1.1 403  - Forbidden
connection: close
content-length: 1452
content-type: application/json
date: Thu, 23 Jun 2022 07:56:52 GMT
x-amzn-errortype: InvalidSignatureException
x-amzn-requestid: 77907a1c-6800-42dc-8887-6026a0d2e0da
x-amzn-trace-id: Root=1-62b41cc4-456a542c0def21f6652269f1

{"message":"The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.\n\nThe Canonical String for this request should have been\n'PUT\n/prod/echo\n\ncontent-type:application/json\nhost:MY_APP_ID.execute-api.us-west-2.amazonaws.com\nx-amz-date:20220623T075652Z\nx-amz-security-token:MY_SESSION_TOKEN_HERE\n\ncontent-type;host;x-amz-date;x-amz-security-token\ncf8f644b80ee8100db6f910fa33514be8e0ac3d3f54546de914b34c2206ad6a9'\n\nThe String-to-Sign should have been\n'AWS4-HMAC-SHA256\n20220623T075652Z\n20220623/us-west-2/execute-api/aws4_request\n670c4c7ba89357df2e024e3b5e0b2d917b3c111ded27e856d42638cecbf8da09'\n"}

Issue Analytics

  • State:closed
  • Created 7 months ago
  • Comments:7 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
natemcmastercommented, Jun 26, 2022

Just tested and it’s working now. Thank you!

1reaction
natemcmastercommented, Jun 23, 2022

Wow thanks for such a quick turn around. I am traveling without a laptop for a few days, but I will test it soon and let you know how it goes.

Read more comments on GitHub >

github_iconTop Results From Across the Web

InvalidSignatureException using CognitoSync service #2706
User is successfully authenticated via Cognito Identity and is given a valid session. My issue is that all CognitoSync calls fail with the...
Read more >
Getting "InvalidSignatureException" when ... - Stack Overflow
I have manually checked the and ran the "aws ecr-get-login-password" command locally using the same AWS access key and secret and it does...
Read more >
Signing AWS API requests - AWS General Reference
When an AWS service receives an authenticated request, it recreates the signature using the authentication information contained in the request.
Read more >
Getting "InvalidSignatureException" when trying to ... - Reddit
An error occurred (InvalidSignatureException) when calling the GetAuthorizationToken operation: The request signature we calculated does not ...
Read more >
Caught In The AWS Tarpit - UpGuard
... of unit tests that make API calls to Amazon Web Services (AWS), tests were failing unpredictably. All driven by AWS authentication.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found