search

aws-samples / api-gateway-secure-pet-store

Amazon API Gateway sample using Amazon Cognito credentials through AWS Lambda
Apache License 2.0
307 stars 113 forks source link

The request signature we calculated does not match the signature you provided ? #15

Open esumit opened 8 years ago

esumit commented 8 years ago

On executing Login request, I have recieved following crendentials πŸ‘ "credentials": { "accessKey": "XXXXXXXXXXXXX", "secretKey": "XXXXXXXXXXXXX/XXXXXXXXXXXXX/XXXXXXXXXXXXX", "sessionToken": "FQoDYXdzEEUaDBzTjHqvxMWDMpGfniKuBFZQZHKgdyhTDBTfHplacB+y27s87iGuEvFO5yHbJG5AwxgPGTpxc3mpdfmW5Q2CA5w8BCIzGjXqAPB8iEMI95rZWXh73AZH4OKrPHSEyRMDscH73Yl2DdVOiPpSQGAFssaVytxIJPF2AESUohD/OdvpwQ+sRwm8/mm1/8iUgNjYch0xl80GYtoUysTkGohhtDktGcEN3ho+Dsq8Z2ei+LTH6ulq2tkPvxVSGw9KoN5OP20nCfehRSIy5WPxTuFm8ws76DjNs1xoTDdkVGW/8QOTgvutLLc1axd6HKmELLNQWUEOXNAxK+1Sf8YMPRGH1bp+ozXrGAJc/71OXhk5QISS3ikUT0RephMJY/PbG7E4DnvIGI82+InUCTT/YvFZM7xWIrwWDKJIcY5/+CI7Sos6+JiFj0doyh+sK0Muu3IZgBwmXdA6r7qWeI94+j2FUpWB7fUTCHzOQLotR2U62gxj0h8fiiqviznPcaLbnnH+e+pSOvTY4F8vgQw256O41QgxhRxHL4rLlvC5PwJ8Im1Pcgj224myQZVyK/2SX3eEfKXaQEn+vMDUTYdWhpOcPU1NVK8H1GG6/Srs2oEcaqQm7Mv6VQKSe5R7XWs3GCuwMQmkac7QoIG8VG48QvqEgBzyvS+ivUapW8h1pg9yqYNPzVwh8RTv3Tyl0wP0DIExN8AZX85CZv/k9v3QqHku5MgHh6Me6DnXKmr6F8a3XOEJJfHau+Rm/C6ENFG2aijaqKK5BQ==", "expiration": 1462280810000

}

But when I applied to call Pets request by entering above parameters , it does the following πŸ‘

{"message":"The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.\n\nThe Canonical String for this request should have been\n'POST\n/devTest/pets\n\ncontent-length:212\ncontent-type:application/x-www-form-urlencoded\nhost:XXXXXXX.execute-api.us-east-1.amazonaws.com\nx-amz-date:20160503T121516Z\nx-amz-security-token:FQoDYXdzEEUaDBzTjHqvxMWDMpGfniKuBFZQZHKgdyhTDBTfHplacB+y27s87iGuEvFO5yHbJG5AwxgPGTpxc3mpdfmW5Q2CA5w8BCIzGjXqAPB8iEMI95rZWXh73AZH4OKrPHSEyRMDscH73Yl2DdVOiPpSQGAFssaVytxIJPF2AESUohD/OdvpwQ+sRwm8/mm1/8iUgNjYch0xl80GYtoUysTkGohhtDktGcEN3ho+Dsq8Z2ei+LTH6ulq2tkPvxVSGw9KoN5OP20nCfehRSIy5WPxTuFm8ws76DjNs1xoTDdkVGW/8QOTgvutLLc1axd6HKmELLNQWUEOXNAxK+1Sf8YMPRGH1bp+ozXrGAJc/71OXhk5QISS3ikUT0RephMJY/PbG7E4DnvIGI82+InUCTT/YvFZM7xWIrwWDKJIcY5/+CI7Sos6+JiFj0doyh+sK0Muu3IZgBwmXdA6r7qWeI94+j2FUpWB7fUTCHzOQLotR2U62gxj0h8fiiqviznPcaLbnnH+e+pSOvTY4F8vgQw256O41QgxhRxHL4rLlvC5PwJ8Im1Pcgj224myQZVyK/2SX3eEfKXaQEn+vMDUTYdWhpOcPU1NVK8H1GG6/Srs2oEcaqQm7Mv6VQKSe5R7XWs3GCuwMQmkac7QoIG8VG48QvqEgBzyvS+ivUapW8h1pg9yqYNPzVwh8RTv3Tyl0wP0DIExN8AZX85CZv/k9v3QqHku5MgHh6Me6DnXKmr6F8a3XOEJJfHau+Rm/C6ENFG2aijaqKK5BQ==\n\ncontent-length;content-type;host;x-amz-date;x-amz-security-token\n82d7b00fc60e9684db97202b877091a3836e091224a5a8bf4567080e104e4459'\n\nThe String-to-Sign should have been\n'AWS4-HMAC-SHA256\n20160503T121516Z\n20160503/us-east-1/execute-api/aws4_request\nd6d9d29069c6575ec4510dfab1268f2ba1697a876a660c4564fe8398674f3c97'\n"}

Any comments ?

esumit commented 8 years ago

May you please provide any comment on this question ?, I am still stuck on this issue.

esumit commented 8 years ago

How I solved above problem -

Based on the documentation, you would have followed to configure an IAM Role with following stuff (Amazon Cognito Identity,Amazon DynamoDB,AWS Lambda,Amazon CloudWatch Logs).

Say you would have given the name to this 'PetRole'.

Go to the Swagger.Yaml file, and add this ARN of 'PetRole'. to credentials of x-amazon-apigateway-integration for all paths ( Its documentation says to add ARN of 'PetRole'. to credentials of only /users and /login, but I add this to others as well, e.g. for /pets and then it worked )

ergind commented 7 years ago

@esumit I think what you did is wrong. You supposed to use the user's identity acquired by the login call. Using PetRole in credentials simply makes all endpoints public. Anyone can access them.