Cognito Sync 403 Error

[VinnyLamego]

We are developing a mobile game using Unity and we are going to use AWS services to store all the user data and the game content.

We already built all the integration and archived to integrate with the AWS SDK for unity, the DynamoDB and S3 are working as expected but we are have some trouble with CognitoStore.

When we call _ds.Synchronize () or _syncManager.RefreshDatasetMetadataAsync() we get the a 403 Forbidden Error.

"WebException: 403 Forbidden Rethrow as AmazonServiceException: 403 Forbidden Rethrow as DataStorageException: Failed to list records in dataset: Account"

Our policy (simplified): { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "mobileanalytics:PutEvents", "cognito-sync:" ], "Resource": [ "" ] } ] }

The code calling the service is simple: try { CognitoSyncClientManager.init(); _syncManager = CognitoSyncClientManager.CognitoSyncManagerInstance;
} catch (Exception ex) { Debug.LogException (ex); return; }

_dsAccount = _syncManager.OpenOrCreateDataset ("Account"); _dsAccount.Put ("test", "1"); _dsAccount.Synchronize ();

Note: We are having the same issue with the Sample project.

More details in the AWS Forum: https://forums.aws.amazon.com/message.jspa?messageID=601541#601541

[albertvaka]

Hi!

We just released a new version of the SDK that fixes some issues that could actually be the root cause of this error. Could you upgrade and see if the problem persists?

Albert

[VinnyLamego]

Just updated but now I get 400 Bad Request.

[albertvaka]

Hi,

Unfortunately Unity does not allow you to see the contents of the error message when a query fails, and it makes this kind of problems much harder to debug. When this kind of errors happen, though, we print a "curl" command (like the one in the screenshot that you attached) that you can run to reproduce the call that failed and it will display the actual error message.

Could you try to run the curl command that appears with the errors and post the response here? That will certainly help.

Note that, while curl is installed by default in Mac and Linux, you might need to install it manually in Windows.

Thanks, Albert

[VinnyLamego]

Sure, this was the response:

{"message":"Signature not yet current: 20150218T134754Z is still later than 20150218T134740Z (20150218T134240Z + 5 min.)"}

[turacma]

This error indicates the computer/device does not have the correct time set for it's current time zone. Please make sure your computer/device is set to sync with an appropriate time source.

[VinnyLamego]

I updated the clock, but now i'm getting 400 Bad request, curl result:

$ {"message":"The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.\n\nThe Canonical String for this request should have been\n'GET\n/identitypools/YOUR_IDENTITY_POOL_ID/identities/us-east-1%3A128d6c31-d148-4b3f-9779-512b84910f92/datasets/Account/records\nlastSyncCount=0\nhost:cognito-sync.us-east-1.amazonaws.com\nuser-agent:AWS-SDK-UNITY/1.0.1\nx-amz-content-sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a\nx-amz-date:20150218T152819Z\nx-amz-security-token:AQoDYXdzEEka0ASplncEB/g829WRksi/4yRqdbRvCZHhlpJLbzGBXsXy0c+mmY/vAaWdCYWY4D7w0fmg3y2LGZB6SM2tz2vGMT9rEahG9zhJWseMkOi5PQOEu5cOC1Xnmc5TtTI9+Q6QXQc/duMTyQNKBrFaBCqTu9tA22GQOLmhPRfpx22TzHuZqFHryrsukXFzdahIO52LUV50TBC4YXY5LT0JDaO8W2zSxYTud9O6cVGEtysco9npG5kkEw8O90eV/BOaiqGKYKprVOwuH9ZPTdWT/cmxPiUZoSHhIb06btmjRs64KIHuFVfbV44ftN8jFL5jkXi/xTRzlB7f9cd8E/bxwzQurgJJtrhXoVtxWdyFJP887qCZpdpJ/lFnBLY/kO/bobAGESyjVCL3LjFy6CWjeY9UOo2pcS0IyY4YLZ3lJ4f13O0UV2Ln8vqX4Xbh5Thze+YLvcny5pmbPYqA1QMYOhTPj7ryt1oLzfDLQQZ/4DTCeaZzvqBBC+mcJw8WkKgdfc7BO8D4vMY46hqxmrXW1tHQkWUXk9haET2WPUxFO4JSih36ocDlgRWrdP2wiflJ+eKLd/rfZeYpWGRZxMuuEvsNe1SREj1MXHdVcOJAR+RL/APJUshvDlKkfZGK0V5aggppEDkIWK0+tQs8x4miBJz17iXZJcUlBRZgTIRu6PlrJUX3IDel5Kw5gGOeieFy0i2AH/5WzKiJxJSHRWlA8rfxqNBepkbQPW3Or8qd+Dx25qK6Dm+bwX1WIRFOFjdUn6j9+PBqMeHpsMunut2H9HvG+XbDIP7dkqcF\nx-http-method-override:GET\n\nhost;user-agent;x-amz-content-sha256;x-amz-date;x-amz-security-token;x-http-method-override\n44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a'\n\nThe String-to-Sign should have been\n'AWS4-HMAC-SHA256\n20150218T152819Z\n20150218/us-east-1/cognito-sync/aws4_request\nc1c58c708610ab60dfed3da8a0531cc5738d3f41b58939d67c36ec12d751ae48'\n"}

[turacma]

Can you tell us more about the environment you are running your tests on, for instance, OS version and charset/language settings? We have been unable to reproduce your issues in our environment which leads us to believe there is something we are not currently capturing/testing.

[VinnyLamego]

Mac OSX 10.10.2 Yosemite Unity PRO 4.6.2f1 (Android Environment)

Will run a test on windows with the same project and post the result here.

[turacma]

A colleague just pointed out that your latest error message contains "YOUR_IDENTITY_POOL_ID" which seems to suggest that you failed to update your code with the value of your actual identity pool id. Can you confirm that your test app is correctly setting this value?

[VinnyLamego]

Just did the test on a VM with Windows 7, same project / settings and it worked.

I repeated the test on my mac worked.

Not sure yet was was the issue, but opening the same project in Windows and than on Mac again with v1.0.1 worked. Maybe was an issue of unity caching or something like that. But it's working.

Thanks for the support.

[NeoAnderson87]

Hello , I am getting the same issue: on Synchronize () or RefreshDatasetMetadataAsync() we get the a 403 Forbidden Error.

"WebException: 403 Forbidden Rethrow as AmazonServiceException: 403 Forbidden Rethrow as DataStorageException: Failed to list records in dataset: Account"

Unity:4.6.3f1 Os:Windows 8.1 pro

And this is my curl response: {"message":"The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the serv ice documentation for details.\n\nThe Canonical String for this request should h ave been\n'GET\n/identitypools/us-east-1%3Adddbd6ae-e9ae-4be7-a385-f0c44a279f22/ identities/us-east-1%3A67aa6ec6-310c-4f0c-9a15-d01406580d68/datasets/PlayerInfo/ records\nlastSyncCount=0\nhost:cognito-sync.us-east-1.amazonaws.com\nuser-agent: AWS-SDK-UNITY/1.0.5\nx-amz-content-sha256:44136fa355b3678a1146ad16f7e8649e94fb4f c21fe77e8310c060f61caaff8a\nx-amz-date:20150410T101458Z\nx-amz-security-token:AQ oDYXdzEFsa4ARMSNIsJwPdpxCJ00lrSg5uqgQHOdvQk8l496BnNO639LL9UMK1Q7342h+SVKJoSITh70 2/eaOUMaRUMx94JNLNKm0X1YcN84lQm54bUrw9xp3Y4Nf0AfXqx6SGtPsZtl85vn7+eqE+/AdVXdaaLM 3Iod5KxbI4UW2/s10AX5YDYpDhR/MnafMzytBePO8rSJQJYPx16TS8Crs08gkDIB+RBwmMsj2y0nWvQb s1fF0ELTnhSVgyWvRtnAjbMXPkk0hfHfptlyDaV94gPg39zuWzHXN4LYkwsrjsw8lFzLKDhSwf37Se2Z 3u0XrO5+OnWV9xP4yHInxcJNyy5MV+n6Fjc3UR4KX1uV3X45rO4g6p6dOWVTwwRo55CwFEsi73W5elOK NjWAG+CZxyza/nC7dVysjEiFyxN+k2sjMsw2k6kiKe7/8qdbP9sVmghE8VDKDfL+5cvgBwnANo+ptwQY 6G6ING0+0YATxJpB8M4rPm14rkvtzJuJU9E578dt0Pc18H+aR/gqsro6o9LoNpq0ly12fgWWlPMy5xZB 3Q0mnakJPzGPVlKakwv3e1DEoboFEtGs8ZYyBMAH9GmK+OQb7QW9KP2grdMuoH87RA8s0HyO1gh6lYYv k86ypcGzwJyrZm8zfCjARFApHQ6HWoT0Pwz8ekw0geMLZnDF5eVtxa8ffsi+5AwZLW6qM6Fm4PhwfD4D CGNrx2uhcT5tXhy14z0DGuqHk5NweKdkwOQcnXUj6rekk1/MPghH7UBfhaauXtT8F9vMV2cR+caZl/u5 GasF0VZLtA4QgKgAuxcbqU2SDgvp6pBQ==\nx-http-method-override:GET\n\nhost;user-agen t;x-amz-content-sha256;x-amz-date;x-amz-security-token;x-http-method-override\n4 37da515a768a74bdc5d9c67803dfe8e3f0339ebad2e87474f5d3fde0427bd80'\n\nThe String-t o-Sign should have been\n'AWS4-HMAC-SHA256\n20150410T101458Z\n20150410/us-east-1 /cognito-sync/aws4_request\n39571a63dd507046bd6019cd89951dc7ba615e980a3068f0f73e 1788d025b81e'\n"}

NOTE: This happens only for Auth users( i am using Facebook auth) .. for guest users (unauth) it works fine.