search

amzn / selling-partner-api-models

This repository contains OpenAPI models for developers to use when developing software to call Selling Partner APIs.
Apache License 2.0
543 stars 723 forks source link

InvalidSignature despite matching Canonical String and String-to-Sign and regenerated keys #1900

Closed vincentgu818 closed 1 year ago

vincentgu818 commented 2 years ago

I am getting the following error:

{
  "errors": [
    {
      "message": "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

The Canonical String for this request should have been
'GET
/orders/v0/orders
CreatedAfter=2021-09-25&MarketplaceIds=ATVPDKIKX0DER
host:sellingpartnerapi-na.amazon.com
user-agent:Ladder data ingestion
x-amz-access-token:Atza|IwEBIxxxxx
x-amz-date:20210929T142002Z
x-amz-security-token:FwoGZXIvYXdzxxxxx

host;user-agent;x-amz-access-token;x-amz-date;x-amz-security-token
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'

The String-to-Sign should have been
'AWS4-HMAC-SHA256
20210929T142002Z
20210929/us-east-1/execute-api/aws4_request
e7b877fcd2e10dcd8bc5050b7c6bad6d5126d6cd014e9a9b0c6e7d91ff0287f3'
",
     "code": "InvalidSignature"
    }
  ]
}

I have verified that my Canonical String and String-To-Sign are identical to these (include the case). So my issue must be in the Secret Access Key or Signing Method.

I went ahead and regenerated the access key and I am using the Python example to get the Signature Key: https://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html#sig-v4-examples-get-auth-header

I've gone over the other issues reported and they haven't fixed my problem : #966 (if RoleARN used, required to use STS Session Token as x-amz-security-token) #656 (capitalization of query parameter) #528 (regenerated my keys) #468 (no resolution) #465 (no resolution) #116 (canonical_uri change, execute-api for service) #111 (content-type header and x-amz-content-sha256 header)

Can anybody help me? Thank you.

Here is my code minus the credentials.

# get Access Token and assign to 'x-amz-access-token'
response = requests.post('https://api.amazon.com/auth/o2/token',
    headers={'Content-Type': 'application/x-www-form-urlencoded'},
    data={
        'grant_type': 'refresh_token',
        'refresh_token': credentials['lwa_refresh_token'],
        'client_id': credentials['lwa_client_id'],
        'client_secret': credentials['lwa_client_secret']
    }
)
credentials['x-amz-access-token'] = response.json()['access_token']

# get AWS STS Session Token and assign to 'x-amz-security-token'
sts_client = boto3.client('sts')

assumed_role_object=sts_client.assume_role(
    RoleArn=credentials['role_arn'],
    RoleSessionName="openfit-sp-api"
)
credentials['x-amz-security-token'] = assumed_role_object['Credentials']['SessionToken']

# AWS Version 4 signing example

# EC2 API (DescribeRegions)

# See: http://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html
# This version makes a GET request and passes the signature
# in the Authorization header.
import sys, os, base64, datetime, hashlib, hmac 
import requests # pip install requests

# ************* REQUEST VALUES *************
method = 'GET'
service = 'execute-api'
host = 'sellingpartnerapi-na.amazon.com'
region = 'us-east-1'
endpoint = 'https://sellingpartnerapi-na.amazon.com/orders/v0/orders'
request_parameters = 'CreatedAfter=2021-09-25&MarketplaceIds=ATVPDKIKX0DER'

# Key derivation functions. See:
# http://docs.aws.amazon.com/general/latest/gr/signature-v4-examples.html#signature-v4-examples-python
def sign(key, msg):
    return hmac.new(key, msg.encode('utf-8'), hashlib.sha256).digest()

def getSignatureKey(key, dateStamp, regionName, serviceName):
    kDate = sign(('AWS4' + key).encode('utf-8'), dateStamp)
    kRegion = sign(kDate, regionName)
    kService = sign(kRegion, serviceName)
    kSigning = sign(kService, 'aws4_request')
    return kSigning

# Read AWS access key from env. variables or configuration file. Best practice is NOT
# to embed credentials in code.
access_key = credentials['aws_access_key']
secret_key = credentials['x-amz-security-token']
if access_key is None or secret_key is None:
    print('No access key is available.')
    sys.exit()

# Create a date for headers and the credential string
t = datetime.datetime.utcnow()
amzdate = t.strftime('%Y%m%dT%H%M%SZ')
datestamp = t.strftime('%Y%m%d') # Date w/o time, used in credential scope

# ************* TASK 1: CREATE A CANONICAL REQUEST *************
# http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html

# Step 1 is to define the verb (GET, POST, etc.)--already done.

# Step 2: Create canonical URI--the part of the URI from domain to query 
# string (use '/' if no path)
canonical_uri = '/orders/v0/orders' 

# Step 3: Create the canonical query string. In this example (a GET request),
# request parameters are in the query string. Query string values must
# be URL-encoded (space=%20). The parameters must be sorted by name.
# For this example, the query string is pre-formatted in the request_parameters variable.
canonical_querystring = request_parameters

# Step 4: Create the canonical headers and signed headers. Header names
# must be trimmed and lowercase, and sorted in code point order from
# low to high. Note that there is a trailing \n.
canonical_headers = 'host:' + host + '\n' + 'user-agent:' + 'Ladder data ingestion' + '\n' + 'x-amz-access-token:' + credentials['x-amz-access-token'] + '\n' + 'x-amz-date:' + amzdate + '\n' + 'x-amz-security-token:' + credentials['x-amz-security-token'] + '\n'

# Step 5: Create the list of signed headers. This lists the headers
# in the canonical_headers list, delimited with ";" and in alpha order.
# Note: The request can include any headers; canonical_headers and
# signed_headers lists those that you want to be included in the 
# hash of the request. "Host" and "x-amz-date" are always required.
signed_headers = 'host;user-agent;x-amz-access-token;x-amz-date;x-amz-security-token'

# Step 6: Create payload hash (hash of the request body content). For GET
# requests, the payload is an empty string ("").
payload_hash = hashlib.sha256(('').encode('utf-8')).hexdigest()

# Step 7: Combine elements to create canonical request
canonical_request = method + '\n' + canonical_uri + '\n' + canonical_querystring + '\n' + canonical_headers + '\n' + signed_headers + '\n' + payload_hash
print("My Canonical String:")
print(canonical_request+'\n')

# ************* TASK 2: CREATE THE STRING TO SIGN*************
# Match the algorithm to the hashing algorithm you use, either SHA-1 or
# SHA-256 (recommended)
algorithm = 'AWS4-HMAC-SHA256'
credential_scope = datestamp + '/' + region + '/' + service + '/' + 'aws4_request'
string_to_sign = algorithm + '\n' +  amzdate + '\n' +  credential_scope + '\n' +  hashlib.sha256(canonical_request.encode('utf-8')).hexdigest()
print("My String to Sign")
print(string_to_sign+'\n')

# ************* TASK 3: CALCULATE THE SIGNATURE *************
# Create the signing key using the function defined above.
signing_key = getSignatureKey(secret_key, datestamp, region, service)

# Sign the string_to_sign using the signing_key
signature = hmac.new(signing_key, (string_to_sign).encode('utf-8'), hashlib.sha256).hexdigest()

# ************* TASK 4: ADD SIGNING INFORMATION TO THE REQUEST *************
# The signing information can be either in a query string value or in 
# a header named Authorization. This code shows how to use a header.
# Create authorization header and add to request headers
authorization_header = algorithm + ' ' + 'Credential=' + access_key + '/' + credential_scope + ', ' +  'SignedHeaders=' + signed_headers + ', ' + 'Signature=' + signature

# The request can include any headers, but MUST include "host", "x-amz-date", 
# and (for this scenario) "Authorization". "host" and "x-amz-date" must
# be included in the canonical_headers and signed_headers, as noted
# earlier. Order here is not significant.
# Python note: The 'host' header is added automatically by the Python 'requests' library.
headers = {
    'authorization': authorization_header,
    'host': host,
    'user-agent': 'Ladder data ingestion',
    'x-amz-access-token': credentials['x-amz-access-token'],
    'x-amz-date': amzdate, 
    'x-amz-security-token': credentials['x-amz-security-token']
}

# ************* SEND THE REQUEST *************
request_url = endpoint + '?' + canonical_querystring

print('\nBEGIN REQUEST++++++++++++++++++++++++++++++++++++')
print('Request URL = ' + request_url)
r = requests.get(request_url, headers=headers)

print('\nRESPONSE++++++++++++++++++++++++++++++++++++')
print('Response code: %d\n' % r.status_code)
print(r.text)
pucsdian commented 2 years ago

Try to call same request from Postman and if postman call works then cross check your signature with postman signature using same parameters

vincentgu818 commented 2 years ago

Thanks for the reply. The Postman call did not work.

pucsdian commented 2 years ago

is postman also receiving wrong signature or anything else

On Sat, 2 Oct, 2021, 4:11 AM vincentgu818, @.***> wrote:

Thanks for the reply. The Postman call did not work.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/amzn/selling-partner-api-models/issues/1900, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANYJAKA3CN432VEQWBLUA5LUEY2HXANCNFSM5FAB4WBA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

vincentgu818 commented 2 years ago

Postman is receiving a response identical to the one at the beginning of my original post.

tector commented 2 years ago

@vincentgu818 i have the same issue... did you find a solution?

tabbedy commented 2 years ago

I have the same issue and i do not know where the problem is.

The differens is, that i have a functional Postman Request, but i am not able to generate the same Signature in Powershell as in Postman...

I try to receive the temporary Credentials via sts before i can sign and make a get request with my temp credentials

Did anyone find a solution?

aashifkhanate commented 2 years ago

I was also facing similar issue. Turns out I had to add API stage as prefix to the path when creating the HTTPRequest. I identified this by console logging stringToSign and canonical request in @aws-sdk/signature-v4.

The canonical string path differed for me.

It was expecting staging/projects/ whereas I was passing /projects/.

/projects/ was working for me fine up until I enabled IAM Auth on my API Gateway. I guess now since Auth was enabled, I was required to use API stage instead of directly using the non-stage one.

carlesbapeiro commented 1 year ago

@vincentgu818 I was facing the same problem. Check this Stack Overflow post I made a few days ago. Stack Overflow post In the answer I'm using your code and made it work, there were some little problems, although the signature itself was the same.

github-actions[bot] commented 1 year ago

This is a very old issue that is probably not getting as much attention as it deserves. We encourage you to check if this is still an issue after the latest release and if you find that this is still a problem, please feel free to open a new issue and make a reference to this one.

github-actions[bot] commented 1 year ago

closed for inactivity