SignV4 Canonical URI paths are only encoded once. Should be twice

[AlijahSmith]

Per AWS SignV4 docs

Normalize URI paths according to RFC 3986. Remove redundant and relative path components. Each path segment must be URI-encoded twice (except for Amazon S3 which only gets URI-encoded once).

Most URIs have nothing to encode, which is why it usually works. However, when there is, the signature will be invalid.

As an example from API Gateway @connections The Endpoint is

https://{prefix}.execute-api.us-east-1.amazonaws.com/{stage}/@connections/{connection_id}
https://aabbccddee.execute-api.us-east-1.amazonaws.com/production/@connections/R0oXAdfD0kwCH6w=

The URI needs to be encode once for the request

https://aabbccddee.execute-api.us-east-1.amazonaws.com/prod/%40connections/R0oXAdfD0kwCH6w%3D

And then again for the Canonical URI

https://aabbccddee.execute-api.us-east-1.amazonaws.com/prod/%2540connections/R0oXAdfD0kwCH6w%253D

[Unisay]

I hit the same problem the other day (thanks for reporting @AlijahSmith !) when trying to invoke Lambda by using version arn (which contains colons : that are encoded to %3A)

My workaround was to invoke lambda version by url-safe name only, putting version number in the iQualifier