opensearch-cli
opensearch-cli copied to clipboard
[BUG] AOSS returns InvalidSignature error if request has a body
What is the bug?
opensearch-cli does not sign requests that contain bodies correctly, when used with Amazon OpenSearch Serverless (AOSS).
How can one reproduce the bug?
Steps to reproduce the behavior:
- Create an AOSS Collection
- Create a profile to access that collection
- Make a GET request to that collection to verify the setup, e.g. curl get --path _cat/indices
- Make a POST request with a body, e.g. POST _aliases (see below)
- View a "Invalid signature" error
I've tried multiple different API endpoints, so it is not specific to aliases
What is the expected behavior?
Requests with bodies should work.
What is your host/environment?
- OS: Ubuntu
- Plugin version 1.1.0
- OpenSearch version AOSS hosted
Do you have any screenshots?
For example:
# GET WORKS
$ aws-vault exec my-profile -- opensearch-cli -p dev curl get --path _cat/aliases
chatmessages index6 - - - -
chatmessages index5 - - - -
# POST DOES NOT WORK
$ aws-vault exec my-profile -- opensearch-cli -p dev curl post --path _aliases -d '{"actions":[{"remove": {"alias": "chatmessages"}},{"add":{"alias":"chatmessages","index":"chatmessages-robfig-20230222","is_write_index":true}}]}'
{
"error": {
"reason": "Customer authentication failed: ResultDetail: { Code=InvalidSignature, Message=Invalid signature, does not match, }",
"type": "AccessDenied"
},
"request-id": "1ca730d5-ce7a-9ad2-926d-8dae23ab1c12",
"status": 403
}
Good catch. It sounds like it needs a client update and a way to specify the service name ("aoss" instead of "es"). What would you suggest could be the right way to specify the service name (e.g., as a flag, as a setting)?