amazonka icon indicating copy to clipboard operation
amazonka copied to clipboard

Published 20 hours ago verified publisher icon brendanhay

Invalid signature on SimpleDb calls

Open rblaze opened this issue 8 years ago • 8 comments

While trying to create new sdb domain, I'm receiving error message from AWS about invalid signature. I'm sure my access key is correct, because this is last operation in the sequence of several others, which complete just fine. I'm also able to repro it in ghci.

Here is ghci session log:

...> runResourceT $ runAWS env $ send listBuckets
ListBucketsResponse' {_lbrsBuckets = Just [Bucket' {_bCreationDate = Time 2017-02-16 02:16:50 UTC, _bName = BucketName "privatecloud-2246554760"},Bucket' {_bCreationDate = Time 2017-02-16 02:16:12 UTC, _bName = BucketName "privatecloud-3408907772"},Bucket' {_bCreationDate = Time 2017-02-15 07:14:45 UTC, _bName = BucketName "privatecloud-devtest"}], _lbrsOwner = Just (Owner' {_oDisplayName = Just "blaze", _oId = Just "20af3f0492ac6a30b9299fce441f49f96e90d57169ad62524b24d5729e256180"}), _lbrsResponseStatus = 200}

...> runResourceT $ runAWS env $ send $ createDomain "foobar"
*** Exception: ServiceError (ServiceError' {_serviceAbbrev = Abbrev "SDB", _serviceStatus = Status {statusCode = 403, statusMessage = "Forbidden"}, _serviceHeaders = [("Date","Thu, 16 Feb 2017 02:24:09 GMT"),("Transfer-Encoding","chunked"),("Connection","keep-alive"),("Server","Amazon SimpleDB")], _serviceCode = ErrorCode "SignatureDoesNotMatch", _serviceMessage = Just (ErrorMessage "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details."), _serviceRequestId = Just (RequestId "7b1dd6f2-7d8e-eea2-c72d-17f20163f5c8")})

Same error for listDomains and deleteDomain. Guess this is common problem for all sdb calls.

rblaze avatar Feb 16 '17 02:02 rblaze

Bump: this still happens in 1.5.0

rblaze avatar Jan 02 '18 03:01 rblaze

Same on 1.6.0:

[Client Request] {
  host      = sdb.us-west-2.amazonaws.com:443
  secure    = True
  method    = POST
  target    = Nothing
  timeout   = ResponseTimeoutMicro 70000000
  redirects = 0
  path      = /
  query     = AWSAccessKeyId=redacted...
  headers   = date: 2018-06-26T07:30:29.288364251Z; content-type: application/x-www-form-urlencoded; charset=utf-8
  body      = Action=CreateDomain&DomainName=foo&Version=2009-04-15
}
[Client Response] {
  status  = 403 Forbidden
  headers = date: Tue, 26 Jun 2018 07:30:29 GMT; transfer-encoding: chunked; connection: keep-alive; server: Amazon SimpleDB
}
[ServiceError] {
  service    = SDB
  status     = 403 Forbidden
  code       = SignatureDoesNotMatch
  message    = Just The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
  request-id = Just 2caed883-6cda-bc16-0672-a74a4e3c13a9
}

LeifW avatar Jun 26 '18 07:06 LeifW

One difference I noticed in my request from the docs: In my request, Action and DomainName are in the request body, while in the docs, there is apparently no body; Action and DomainName are additional parameters in the query part of the URL: https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/SDB_API_CreateDomain.html Version is in both the query string and body of my request.

LeifW avatar Jun 26 '18 07:06 LeifW

The "aws" package has an SDB client that works: http://hackage.haskell.org/package/aws-0.20/docs/Aws-SimpleDb.html In a request on there I just sent, it's using POST, the query string is empty, the only headers are Date and Content-Type application/x-www-form-urlencoded; charset=utf-8, and the body consists of Signature, AWSAccessKeyId, SignatureMethod=HmacSHA256, SignatureVersion=2, Timestamp=2018-07-01T07%3A36%3A09, Version=2009-04-15, and Action=ListDomains,

LeifW avatar Jul 01 '18 07:07 LeifW

It looks like the postQuery used by sdb is correctly creating a POST request with the parameters as form parameters in the body, but the V2 signing method just puts the signature stuff as query params. Query params are unusual for a POST, especially a form post.

LeifW avatar Jul 01 '18 08:07 LeifW

Could this either be fixed, or perhaps have the package marked as deprecated on Hackage? There's already a perfectly working SimpleDB client on hackage, and I wasted a fair amount of time building around this Amazonka client, which I can't tell if it has ever worked.

LeifW avatar Jul 03 '18 21:07 LeifW

While it would be nice to fix eventually, it's not worth holding up the 2.0 release over. it's pretty clearly not a flagship AWS product and isn't even in any remotely new regions:

Amazon SimpleDB is currently available in the US East (Northern Virginia), US West (Oregon), US West (Northern California), EU (Ireland), Asia Pacific (Singapore), Asia Pacific (Tokyo), Asia Pacific (Sydney), and South America (Sao Paulo) Regions.

I'd consider a PR if someone else had time to make one, though.

endgame avatar Oct 03 '21 06:10 endgame