search

99designs / aws-vault

A vault for securely storing and accessing AWS credentials in development environments
MIT License
8.52k stars 820 forks source link

AWS gives SignatureDoesNotMatch error when secret key contains a slash #1212

Closed iainelder closed 10 months ago

iainelder commented 1 year ago

My aws-vault version is v7.2.0.

The file .aws/config doesn't exist.

I store credentials for admin and admin2 profiles by using the aws-vault add profilename and pasting the generated credentials from the IAM console.

The admin profile's secret key contains a slash (/).

The admin2 profile's secret key does not contain a slash (/).

The console user has no control over the content of the secret key. You may have to generate more than 2 keys to get ones that meet the requirements. I got "lucky" first time!

When I authenticate as admin AWS gives the SignatureDoesNotMatch error.

$ aws-vault exec --debug --region eu-central-1 admin -- aws sts get-caller-identity
2023/07/10 16:43:07 aws-vault v7.2.0
2023/07/10 16:43:07 Using prompt driver: terminal
2023/07/10 16:43:07 Loading config file /home/isme/.aws/config
2023/07/10 16:43:07 Parsing config file /home/isme/.aws/config
2023/07/10 16:43:07 [keyring] Considering backends: [secret-service]
2023/07/10 16:43:07 Profile 'default' missing in config file
2023/07/10 16:43:07 profile admin: using stored credentials
2023/07/10 16:43:07 profile admin: using GetSessionToken 
2023/07/10 16:43:07 Setting subprocess env: AWS_REGION=eu-central-1, AWS_DEFAULT_REGION=eu-central-1
2023/07/10 16:43:07 Looking up keyring for 'admin'
aws-vault: error: exec: Failed to get credentials for admin: operation error STS: GetSessionToken, https response error StatusCode: 403, RequestID: ...., api error SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

When I authenticate as admin2 AWS accepts it.

$ aws-vault exec --debug --region eu-central-1 admin2 -- aws sts get-caller-identity
2023/07/10 16:42:53 aws-vault v7.2.0
2023/07/10 16:42:53 Using prompt driver: terminal
2023/07/10 16:42:53 Loading config file /home/isme/.aws/config
2023/07/10 16:42:53 Parsing config file /home/isme/.aws/config
2023/07/10 16:42:53 [keyring] Considering backends: [secret-service]
2023/07/10 16:42:53 Profile 'default' missing in config file
2023/07/10 16:42:53 profile admin2: using stored credentials
2023/07/10 16:42:53 profile admin2: using GetSessionToken 
2023/07/10 16:42:53 Setting subprocess env: AWS_REGION=eu-central-1, AWS_DEFAULT_REGION=eu-central-1
2023/07/10 16:42:53 Looking up keyring for 'admin2'
2023/07/10 16:42:53 Generated credentials ****************MP67 using GetSessionToken, expires in 59m59.714769622s
2023/07/10 16:42:53 Setting subprocess env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
2023/07/10 16:42:53 Setting subprocess env: AWS_SESSION_TOKEN
2023/07/10 16:42:53 Setting subprocess env: AWS_CREDENTIAL_EXPIRATION
2023/07/10 16:42:53 Exec command aws sts get-caller-identity
2023/07/10 16:42:53 Found executable /usr/local/bin/aws
{
    "UserId": "...",
    "Account": "...",
    "Arn": "arn:aws:iam::...:user/..."
}

This is essentially a duplicate of #1132. @mtibben asked the OP to reopen that with details on how to reproduce. I can't reopen it so here's a new one.

github-actions[bot] commented 10 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.