WAF GetChangeToken not working

[santoshsahu]

Hi, I have been trying to create web ACL using cpp sdk. First step is to get the change token. Here is my code

std::string get_change_token()
{
    std::string token;
    Aws::SDKOptions options;
    options.loggingOptions.logLevel = Aws::Utils::Logging::LogLevel::Trace;
    Aws::InitAPI(options);
    {
        Aws::Client::ClientConfiguration config;
        config.scheme = Aws::Http::Scheme::HTTPS;
        config.connectTimeoutMs = 30000;
        config.requestTimeoutMs = 30000;
        config.region = Aws::Region::US_WEST_2;

        auto client = Aws::MakeShared<Aws::WAF::WAFClient>(
          "abcd", Aws::Auth::AWSCredentials(access_key.c_str(),
             secret_key.c_str()), config);

        Aws::WAF::Model::GetChangeTokenRequest request;

        Aws::WAF::Model::GetChangeTokenOutcome outcome = client->GetChangeToken(request);
        if (outcome.IsSuccess()) {
         std::cout << "Done!" << std::endl;

         token = std::string(outcome.GetResult().GetChangeToken().c_str());
         std::cout << token;

        } else {
         std::cout << "AWS GetChangeToken error: "
         << outcome.GetError().GetExceptionName() << std::endl
         << outcome.GetError().GetMessage() << std::endl;
        }
    }
    Aws::ShutdownAPI(options);
    return token;
}

Above code gives following error Unable to connect to endpoint Please find below the trace output of above code.

[INFO] 2017-06-21 05:44:04 Aws_Init_Cleanup [140511594518400] Initiate AWS SDK for C++ with Version:1.0.157
[INFO] 2017-06-21 05:44:04 CurlHttpClient [140511594518400] Initializing Curl library
[INFO] 2017-06-21 05:44:04 CurlHandleContainer [140511594518400] Initializing CurlHandleContainer with size 25
[TRACE] 2017-06-21 05:44:04 AWSClient [140511594518400] No content body, content-length headers
[DEBUG] 2017-06-21 05:44:04 AWSAuthV4Signer [140511594518400] Using cached empty string sha256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 because payload is empty.
[DEBUG] 2017-06-21 05:44:04 AWSAuthV4Signer [140511594518400] Canonical Header String: content-length:0
content-type:application/x-amz-json-1.1
host:waf.us-west-2.amazonaws.com
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date:20170621T054404Z
x-amz-target:AWSWAF_20150824.GetChangeToken

[DEBUG] 2017-06-21 05:44:04 AWSAuthV4Signer [140511594518400] Signed Headers value:content-length;content-type;host;x-amz-content-sha256;x-amz-date;x-amz-target
[DEBUG] 2017-06-21 05:44:04 AWSAuthV4Signer [140511594518400] Canonical Request String: POST
/

content-length:0
content-type:application/x-amz-json-1.1
host:waf.us-west-2.amazonaws.com
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date:20170621T054404Z
x-amz-target:AWSWAF_20150824.GetChangeToken

content-length;content-type;host;x-amz-content-sha256;x-amz-date;x-amz-target
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
[DEBUG] 2017-06-21 05:44:04 AWSAuthV4Signer [140511594518400] Final String to sign: AWS4-HMAC-SHA256
20170621T054404Z
20170621/us-west-2/waf/aws4_request
754bce0f073aa123d6f481751eafad9a9c7fdc5c6e02aa830168a847b3ddaf3e
[DEBUG] 2017-06-21 05:44:04 AWSAuthV4Signer [140511594518400] Final computed signing hash: 0eb8bc4030ecfb00d149582c5f71355783a34ce70a2a553a4f2b0497bb9435d7
[DEBUG] 2017-06-21 05:44:04 AWSAuthV4Signer [140511594518400] Signing request with: AWS4-HMAC-SHA256 Credential=XXXXXXXXXXXXXXX/20170621/us-west-2/waf/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-content-sha256;x-amz-date;x-amz-target, Signature=0eb8bc4030ecfb00d149582c5f71355783a34ce70a2a553a4f2b0497bb9435d7
[DEBUG] 2017-06-21 05:44:04 AWSClient [140511594518400] Request Successfully signed
[TRACE] 2017-06-21 05:44:04 CurlHttpClient [140511594518400] Making request to https://waf.us-west-2.amazonaws.com
[TRACE] 2017-06-21 05:44:04 CurlHttpClient [140511594518400] Including headers:
[TRACE] 2017-06-21 05:44:04 CurlHttpClient [140511594518400] authorization: AWS4-HMAC-SHA256 Credential=XXXXXXXXXXXXXXX/20170621/us-west-2/waf/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-content-sha256;x-amz-date;x-amz-target, Signature=0eb8bc4030ecfb00d149582c5f71355783a34ce70a2a553a4f2b0497bb9435d7
[TRACE] 2017-06-21 05:44:04 CurlHttpClient [140511594518400] content-length: 0
[TRACE] 2017-06-21 05:44:04 CurlHttpClient [140511594518400] content-type: application/x-amz-json-1.1
[TRACE] 2017-06-21 05:44:04 CurlHttpClient [140511594518400] host: waf.us-west-2.amazonaws.com
[TRACE] 2017-06-21 05:44:04 CurlHttpClient [140511594518400] user-agent: aws-sdk-cpp/1.0.157 Linux/4.4.0-79-generic x86_64
[TRACE] 2017-06-21 05:44:04 CurlHttpClient [140511594518400] x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
[TRACE] 2017-06-21 05:44:04 CurlHttpClient [140511594518400] x-amz-date: 20170621T054404Z
[TRACE] 2017-06-21 05:44:04 CurlHttpClient [140511594518400] x-amz-target: AWSWAF_20150824.GetChangeToken
[DEBUG] 2017-06-21 05:44:04 CurlHandleContainer [140511594518400] Attempting to acquire curl connection.
[DEBUG] 2017-06-21 05:44:04 CurlHandleContainer [140511594518400] No current connections available in pool. Attempting to create new connections.
[DEBUG] 2017-06-21 05:44:04 CurlHandleContainer [140511594518400] attempting to grow pool size by 2
[INFO] 2017-06-21 05:44:04 CurlHandleContainer [140511594518400] Pool successfully grown by 2
[INFO] 2017-06-21 05:44:04 CurlHandleContainer [140511594518400] Connection has been released. Continuing.
[DEBUG] 2017-06-21 05:44:04 CurlHandleContainer [140511594518400] Returning connection handle 0x1eb4790
[DEBUG] 2017-06-21 05:44:04 CurlHttpClient [140511594518400] Obtained connection handle 0x1eb4790
[ERROR] 2017-06-21 05:44:04 CurlHttpClient [140511594518400] Curl returned error code 6
[DEBUG] 2017-06-21 05:44:04 CurlHandleContainer [140511594518400] Releasing curl handle 0x1eb4790
[DEBUG] 2017-06-21 05:44:04 CurlHandleContainer [140511594518400] Notified waiting threads.
[DEBUG] 2017-06-21 05:44:04 AWSClient [140511594518400] Request returned error. Attempting to generate appropriate error codes from response
[WARN] 2017-06-21 05:44:04 AWSClient [140511594518400] If the signature check failed. This could be because of a time skew. Attempting to adjust the signer.
[DEBUG] 2017-06-21 05:44:04 AWSClient [140511594518400] Date header was not found in the response, can't attempt to detect clock skew
[DEBUG] 2017-06-21 05:44:04 AWSClient [140511594518400] Server time is Wed, 21 Jun 2017 05:44:04 GMT, while client time is Wed, 21 Jun 2017 05:44:04 GMT
[WARN] 2017-06-21 05:44:04 AWSClient [140511594518400] Request failed, now waiting 0 ms before attempting again.

Please let me know, whether its a bug or i am doing something wrong. Thanks.

[marcomagdy]

This is probably a bug in our endpoint calculation for WAF. We'll get it fixed. Meanwhile, you can do: config.endpointOverride = ... and get the proper endpoint from http://docs.aws.amazon.com/general/latest/gr/rande.html#waf_region

Please let me know if that fixes your problem.

[marcomagdy]

Actually, I take that back. If you're trying to use WAF for cloudfront, then the endpoint name should be waf.amazonaws.com. To get that, you should not specify a region in your config.

If you're trying to use WAF for Application Load Balancer, then you should be using aws-cpp-sdk-waf-regional service

[santoshsahu]

I have tried without configuring end-point, but, then it goes to default region us-east-1(endpoint: waf.us-east-1.amazonaws.com). Looks like there is a bug. However, endpointOverride worked for me. Thanks.

[marcomagdy]

You're right, we'll get that fixed. Thanks for reporting it.

[singku]

The default region is US_EAS_1, it is set up as a convenience for most services. Since there is no region specified to WAF. You can explicitly set it to an empty string.

[marcomagdy]

The fix for this has been merged.