Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Step Functions generate_presigned_url Fails Request Signature Validation
See original GitHub issueUsing a Step Functions (SFN) client, I’m attempting to generate a pre-signed URL for describe_execution.
After trying different variations of request methods, headers, requests bodies, etc. any request I send to the presigned url will always fail. Canonical Request Hex in the String-to-Sign never matches.
boto3: 1.4.7 botocore: 1.7.44
Code
Note that I’ve replaced the values in the URLs for executionArn, X-Amz-Credential.
import boto3
import requests
sfn = boto3.client("stepfunctions")
presigned_url = sfn.generate_presigned_url(
"describe_execution",
Params={
"executionArn": "arn:aws:states:us-west-2:123:execution:abc:def-ghi-jkl-mno"
}
)
response = requests.post(presigned_url, data={})
print(response.text)
Logs
DEBUG:botocore.session:Loading variable profile from defaults.
DEBUG:botocore.session:Loading variable config_file from defaults.
DEBUG:botocore.session:Loading variable credentials_file from defaults.
DEBUG:botocore.session:Loading variable data_path from defaults.
DEBUG:botocore.session:Loading variable profile from defaults.
DEBUG:botocore.session:Loading variable ca_bundle from defaults.
DEBUG:botocore.session:Loading variable profile from defaults.
DEBUG:botocore.session:Loading variable api_versions from defaults.
DEBUG:botocore.session:Loading variable profile from defaults.
DEBUG:botocore.session:Loading variable credentials_file from defaults.
DEBUG:botocore.session:Loading variable config_file from defaults.
DEBUG:botocore.session:Loading variable profile from defaults.
DEBUG:botocore.session:Loading variable metadata_service_timeout from defaults.
DEBUG:botocore.session:Loading variable profile from defaults.
DEBUG:botocore.session:Loading variable metadata_service_num_attempts from defaults.
DEBUG:botocore.session:Loading variable profile from defaults.
DEBUG:botocore.credentials:Looking for credentials via: env
DEBUG:botocore.credentials:Looking for credentials via: assume-role
DEBUG:botocore.credentials:Looking for credentials via: shared-credentials-file
INFO:botocore.credentials:Found credentials in shared credentials file: ~/.aws/credentials
DEBUG:botocore.loaders:Loading JSON file: /Users/maxwellgbrown/.virtualenvs/boto3/lib/python3.5/site-packages/botocore/data/endpoints.json
DEBUG:botocore.session:Loading variable profile from defaults.
DEBUG:botocore.loaders:Loading JSON file: /Users/maxwellgbrown/.virtualenvs/boto3/lib/python3.5/site-packages/botocore/data/stepfunctions/2016-11-23/service-2.json
DEBUG:botocore.hooks:Event creating-client-class.stepfunctions: calling handler <function add_generate_presigned_url at 0x10f863c80>
DEBUG:botocore.args:The s3 config key is not a dictionary type, ignoring its value of: None
DEBUG:botocore.endpoint:Setting states timeout as (60, 60)
DEBUG:botocore.loaders:Loading JSON file: /Users/maxwellgbrown/.virtualenvs/boto3/lib/python3.5/site-packages/botocore/data/_retry.json
DEBUG:botocore.client:Registering retry handlers for service: stepfunctions
DEBUG:botocore.hooks:Event choose-signer.states.DescribeExecution: calling handler <function set_operation_specific_signer at 0x10f8dd2f0>
DEBUG:botocore.auth:Calculating signature using v4 auth.
DEBUG:botocore.auth:CanonicalRequest:
POST
/
X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ZZZ%2F20171115%2Fus-west-2%2Fstates%2Faws4_request&X-Amz-Date=20171115T191510Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=content-type%3Bhost%3Bx-amz-target&executionArn=arn%3Aaws%3Astates%3Aus-west-2%3123%3Aexecution%3Aabc%def-ghi-jkl-mno
content-type:application/x-amz-json-1.0
host:states.us-west-2.amazonaws.com
x-amz-target:AWSStepFunctions.DescribeExecution
content-type;host;x-amz-target
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
DEBUG:botocore.auth:StringToSign:
AWS4-HMAC-SHA256
20171115T191510Z
20171115/us-west-2/states/aws4_request
3afe55bcd073fc24a7dce06bacc3661c000230fd2df13e40fbc4d2d6eb30849b
DEBUG:botocore.auth:Signature:
4bcb1c51cfcbf4274a17af7aa3202f23f6d7ceb314c2e1e1dd9faac1eb110e91
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): states.us-west-2.amazonaws.com
DEBUG:urllib3.connectionpool:https://states.us-west-2.amazonaws.com:443 "POST /?executionArn=arn%3Aaws%3Astates%3Aus-west-2%123%3Aexecution%3Aabc%def-ghi-jkl-mno&X-Amz-Expires=3600&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=content-type%3Bhost%3Bx-amz-target&X-Amz-Credential=ZZZ%2Fus-west-2%2Fstates%2Faws4_request&X-Amz-Date=20171115T191510Z&X-Amz-Signature=4bcb1c51cfcbf4274a17af7aa3202f23f6d7ceb314c2e1e1dd9faac1eb110e91 HTTP/1.1" 403 1030
print(response)
<InvalidSignatureException>
<Message>The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
The Canonical String for this request should have been
'POST
/
X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ZZZ%2Fus-west-2%2Fstates%2Faws4_request&X-Amz-Date=20171115T191510Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=content-type%3Bhost%3Bx-amz-target&executionArn=arn%3Aaws%3Astates%3Aus-west-2%3123%3Aexecution%3Aabc%3efg-hij-klm-nmo
content-type:
host:states.us-west-2.amazonaws.com
x-amz-target:
content-type;host;x-amz-target
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'
The String-to-Sign should have been
'AWS4-HMAC-SHA256
20171115T191510Z
20171115/us-west-2/states/aws4_request
1f390ad977de8b8bd1dd0226424bb1389ba62b6bb185784bf499a45b80c7d476'
</Message>
</InvalidSignatureException>
I’ve had no issues generating presigned urls for retrieving s3 objects doing this:
s3 = client('s3')
s3.generate_presigned_url('get_object', Params={'Bucket': 'my-bucket', 'Key': 'my/file.txt'})
Issue Analytics
- State:
- Created 6 years ago
- Comments:10 (3 by maintainers)
Top Results From Across the Web
Error handling in Step Functions
Step Functions identifies errors in the Amazon States Language using case-sensitive strings, known as error names. The Amazon States Language defines a set ......
Read more >How to fix 'The request signature we calculated does not ...
It is producing the following error: The request signature we calculated does not match the signature you provided. Check your key and signing...
Read more >SFN — Boto3 Docs 1.26.33 documentation - AWS
If a following request has different tags values, Step Functions will ignore ... is a qualified state machine ARN, it will fail with...
Read more >Signature does not match aws s3
After upgrade to ECS Release 3.7 S3 application (s) show error: (HTTP 403) The request signature we calculated does not match the signature...
Read more >Find Answers to AWS Questions about AWS Step Functions
Hello All, I have a step function that calls a JIRA Create Issue REST API which is registered in the API gateway. The...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Hi all, we have removed the
generate_presigned_urlmethod from all clients besides S3, as there is no guarantees that the presigning will work correctly or the same as AWS S3. Closing this out!⚠️COMMENT VISIBILITY WARNING⚠️
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.