amazonka
amazonka copied to clipboard
SignV4 Canonical URI paths are only encoded once. Should be twice
Per AWS SignV4 docs
Normalize URI paths according to RFC 3986. Remove redundant and relative path components. Each path segment must be URI-encoded twice (except for Amazon S3 which only gets URI-encoded once).
Most URIs have nothing to encode, which is why it usually works. However, when there is, the signature will be invalid.
As an example from API Gateway @connections The Endpoint is
https://{prefix}.execute-api.us-east-1.amazonaws.com/{stage}/@connections/{connection_id}
https://aabbccddee.execute-api.us-east-1.amazonaws.com/production/@connections/R0oXAdfD0kwCH6w=
The URI needs to be encode once for the request
https://aabbccddee.execute-api.us-east-1.amazonaws.com/prod/%40connections/R0oXAdfD0kwCH6w%3D
And then again for the Canonical URI
https://aabbccddee.execute-api.us-east-1.amazonaws.com/prod/%2540connections/R0oXAdfD0kwCH6w%253D
I hit the same problem the other day (thanks for reporting @AlijahSmith !) when trying to invoke Lambda by using version arn (which contains colons :
that are encoded to %3A
)
My workaround was to invoke lambda version by url-safe name only, putting version number in the iQualifier