ex_aws icon indicating copy to clipboard operation
ex_aws copied to clipboard

Published 20 hours ago verified publisher icon ex-aws

`credentialScope` is not applied

Open angelsl opened this issue 5 years ago • 8 comments

Environment

  • Elixir & Erlang versions (elixir --version): 1.10.3
  • ExAws version: 2.1.3
  • HTTP client version: Hackney 1.16.0

Current behavior

credentialScope from priv/endpoints.exs does not seem to be applied:

iex(11)> ExAws.Operation.JSON.new(:iot, %{http_method: :get, path: "/things/receiver-test-test"}) |> ExAws.request()
{:error,
 {:http_error, 403,
  %{
    body: "{\"message\":\"Credential should be scoped to correct service: 'execute-api'. \"}",
    headers: [
      {"Date", "Tue, 07 Jul 2020 18:24:21 GMT"},
      {"Content-Type", "application/json"},
      {"Content-Length", "77"},
      {"Connection", "keep-alive"},
      {"x-amzn-RequestId", "..."},
      {"x-amzn-ErrorType", "InvalidSignatureException"},
      {"x-amz-apigw-id", "..."}
    ],
    status_code: 403
  }}}

Expected behavior

The request should succeed.

angelsl avatar Jul 07 '20 18:07 angelsl

Hi @angelsl please provide more information, how have you configured ExAws's credentials?

benwilson512 avatar Jul 07 '20 18:07 benwilson512

As part of configuration:

config :ex_aws,
  access_key_id: "...",
  secret_access_key: "...",
  region: "ap-southeast-1"

Specifying service_override works as a workaround. (Also, I had to use RestQuery instead of JSON.)

ExAws.request(%ExAws.Operation.RestQuery{http_method: :get, path: "/things/receiver-test-test", service: :iot }, service_override: :"execute-api")
{:ok,
 %{
   body: "...",
   headers: [
     {"Date", "Tue, 07 Jul 2020 18:43:16 GMT"},
     {"Content-Type", "application/json"},
     {"Content-Length", "285"},
     {"Connection", "keep-alive"},
     {"x-amzn-RequestId", "..."},
     {"Access-Control-Allow-Origin", "*"},
     {"x-amz-apigw-id", "..."},
     {"X-Amzn-Trace-Id", "..."}
   ],
   status_code: 200
 }}

angelsl avatar Jul 07 '20 18:07 angelsl

I still don't understand this error. please provide more information about what should be happening, what is credentialScope?

benwilson512 avatar Jul 07 '20 19:07 benwilson512

I'm referring to this.

When making an AWS request, you use your access key and secret key to derive a HMAC key to sign the request. The credential scope is used in the derivation.

For most services, the credential scope is identical to the service name. For some services, it is not. iot is one such service.

angelsl avatar Jul 07 '20 20:07 angelsl

Basically, what should be happening is that ExAws uses the correct credential scope based on the service name specified. The data is even there in priv/endpoints.exs—it just doesn't seem to be used at the moment.

angelsl avatar Jul 07 '20 20:07 angelsl

Got it, thanks! I'll look into it.

benwilson512 avatar Jul 07 '20 21:07 benwilson512

I am willing to look at this, would be useful in removing the override needed in #1023 ?

devstopfix avatar Dec 21 '23 19:12 devstopfix

@devstopfix I'm not actually sure if it would be useful in removing it - my reading of this bug is that the overrides aren't actually working in the first place. But I haven't really looked into this issue at all since I took over from Ben, so do please feel free to do any digging you like and let us know what you find.

bernardd avatar Jan 11 '24 05:01 bernardd