Attempting to query execute-api, ApacheHTTPClient4 fails to generate correct signatures

[ghost]

Using version 2.2.0 with AWS SDK 2.18.7 making any request to apigateway endpoint AWS responds with: {"message":"The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.\n\nThe Canonical String for this request should have been..."} Provider looks good and account is signed into, other uses of credentials work without issues in same application and via CLI.

[dblock]

Is this a problem only against APIG? Could you please share a repro/code/HTTP trace?

Maybe try to run the known-to-work demo in https://github.com/dblock/opensearch-java-client-demo/tree/opensearch-2.x first just to make sure it's not something obvious.

[ghost]

The source of my issue ended up being that I was directly targeting an APIG stage for my baseURL, once I change it to the appropriate custom subdomain, AWS was happy that the generated signature was valid.

[dblock]

Is there something in the docs for this project that could be useful for the next person? Or maybe a mention in my own quick starter version of this in https://code.dblock.org/2022/07/11/making-sigv4-authenticated-requests-to-managed-opensearch.html ? Like what did you actually change (with an example)? Please contribute!

[ghost]

I have myService in a cloudformation stack that creates an APIG instance with a bunch of config for handling request validation and other stuff.

Originally I was targeting the APIG stage in myService's cloudformation stack directly with my baseurl: https://<RandomNumbersLetters>.us-east-1.mydomain.aws.com/v1/ etc.

Expecting the call to go MyService Apig -> MyService#LambdaHandler.

Fixing it required using a custom public domain name I have in place we'll call gateway, which points to my public 'root' APIGateway (that webapps and external consumers are expected to hit) which has per application redirects to the APIG instances in the individual service cloudformation stacks.

So the overall path the request takes is : Gateway domain -> Root Apig -> MyService APIG -> MyService#lambdaHandler

Example:https://gateway.us-east-1.mydomain.aws.com/myService as the baseUrl and then it was all happy.

Even though the internal APIG address was accessible from my development machine, I suspect the signing didn't work, as with the amazon managed services like opensearch, it's expecting to be called against publically facing addresses. But that's a hunch, without deeper insight from amazon it's hard to say for certain.