aws4 icon indicating copy to clipboard operation
aws4 copied to clipboard

Published 20 hours ago verified publisher icon mhart

The request signature we calculated does not match the signature you provided

Open ekkis opened this issue 2 years ago • 1 comments

using v1.11.0 I hand the following to the .sign() method (partnerId and Credential modified to hide actual value):

signedRequest: {
    region: 'us-east-1',
    host: 'agcod-v2-gamma.amazon.com',
    path: '/CreateGiftCard',
    body: '{"creationRequestId":"Cif1221xjchec2ac","partnerId":"Cuf12","value":{"amount":120,"currencyCode":"USD"}}',
    service: 'AGCODService',
    headers: {
      accept: 'application/json',
      'content-type': 'application/json',
      'x-amz-target': 'com.amazonaws.agcod.AGCODService.CreateGiftCard',
      Host: 'agcod-v2-gamma.amazon.com',
      'Content-Length': 104,
      'X-Amz-Date': '20220502T205849Z',
      Authorization: 'AWS4-HMAC-SHA256 Credential=AKILWWFU6UKLBAEECQ7I/20220502/us-east-1/AGCODService/aws4_request, SignedHeaders=accept;content-length;content-type;host;x-amz-date;x-amz-target, Signature=4d9cc7a9ceb696648585b47e7e56d075e3a04becdca74bf3c9212c2eae0a8f4b'
    },
    method: 'POST',
    securityOptions: 'SSL_OP_NO_SSLv3'
  }

and when I call the servers get the following error:

{ message: 'The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.' }

could anyone elucidate for me what is wrong?

Appendix I

incidentally, using node-fetch to submit the request, like so:

    var url = `https://${signedRequest.host}${signedRequest.path}`
    return fetch(url, {
      method: 'POST',
      headers: signedRequest.headers,
      body: JSON.stringify(signedRequest.body)
    })
      .then(res => res.json())

and yes, I've verified that the credentials are correct. the same signedRequest object works fine when submitted to the server via the NPM request package, which I'm trying to replace with node-fetch as the former is deprecated

Appendix II

furthermore, if I curl with all the data displayed above, I get a success:

{"cardInfo":{"cardNumber":null,"cardStatus":"Fulfilled","expirationDate":null,"value":{"amount":120.0,"currencyCode":"USD"}},"creationRequestId":"Cif1321ydvevfgmg","gcClaimCode":"AJV7-WRRV8D-89AR","gcExpirationDate":null,"gcId":"1533548517471554","status":"SUCCESS"}

Appendix III

incidentally, I did find this: https://gist.github.com/i-like-robots/8913dad2204f95f0d4044b338092a584 which seems to suggest that a) the connection should implement keepAlive, and 2) there's some issue where CNAMEs need to be resolved. with reference to the latter, I've verified that the hostname being provided (agcod-v2-gamma.amazon.com) isn't a CNAME

I frankly don't know what the issue could be but if the guy who posted those gists wrote them, there must be a reason.

also incidentally, I'm trying to upgrade https://www.npmjs.com/package/agcod because Amazon doesn't offer an official NodeJs library to deal with this (sad). if anyone can recommend a better alternative I'm all ears

ekkis avatar May 02 '22 21:05 ekkis

Hey @ekkis, I also had a similar issue. I fixed the issue by giving host, path to the requestOptions of the sign function.

const signedHeaders = sign(
                {
                    method: 'GET',
                    service: 'service',
                    region: 'eu-central-1',
                    host: 'https://zzzzzzzzzz.service.eu-central-1.amazonaws.com',
                    path: '/dev/v1/test?' + searchParams,
                },
                {
                    secretAccessKey: 'secretAccessKey',
                    accessKeyId: 'accessKeyId',
                    sessionToken: 'sessionToken',
                },
            ).headers

Hope this helps ✌️

bcesur avatar May 19 '22 12:05 bcesur