search

aws / aws-sdk-js-v3

Modularized AWS SDK for JavaScript.
Apache License 2.0
3.09k stars 576 forks source link

InvalidSignatureException: Credential should be scoped to a valid region #5576

Closed Cristian-Pixtig closed 10 months ago

Cristian-Pixtig commented 10 months ago

Describe the bug

I'm trying to use the library @aws-sdk/client-cloudfront-keyvaluestore but I am getting the following error:

InvalidSignatureException: The credential must be scoped to a valid region.
      at throwDefaultError (/var/task/node_modules/@smithy/smithy-client/dist-cjs/default-error-handler.js:8:22)
      in /var/task/node_modules/@smithy/smithy-client/dist-cjs/default-error-handler.js:18:39
      at de_PutKeyCommandError (/var/task/node_modules/@aws-sdk/client-cloudfront-keyvaluestore/dist-cjs/protocols/Aws_restJson1.js:369:20)
      in process.processTicksAndRejections (node: internal/process/task_queues:95:5)
      in async /var/task/node_modules/@smithy/middleware-serde/dist-cjs/deserializerMiddleware.js:7:24
      in async /var/task/node_modules/@aws-sdk/client-cloudfront-keyvaluestore/node_modules/@aws-sdk/middleware-signing/dist-cjs/awsAuthMiddleware.js:30:20
      in async /var/task/node_modules/@smithy/middleware-retry/dist-cjs/retryMiddleware.js:31:46
      in async /var/task/node_modules/@aws-sdk/client-cloudfront-keyvaluestore/node_modules/@aws-sdk/middleware-logger/dist-cjs/loggerMiddleware.js:7:26 {
    '$failure': 'client',
    '$metadata': {
      httpStatus code: 403,
      Request ID: 'e2cdf39b-5828-4a6d-98ce-1f3b7217a564',
      ExtendedRequestId: undefined,
      cfId: undefined,
      attempts: 1,
      totalRetryDelay: 0
    }
}

code:

         const client = new CloudFrontClient({});
         const commandDescribe = new DescribeKeyValueStoreCommand({Name: String(process.env.ARN_KVS)});
         const responseDescribe = await client.send(commandDescribe);
         const input = {
             Key: sessionId,
             Value: sessionId,
             KvsARN: responseDescribe.KeyValueStore?.ARN,
             IfMatch: responseDescribe.ETag
         };
         const config: CloudFrontKeyValueStoreClientConfig = { region: "us-east-1", };
         const clientKVS = new CloudFrontKeyValueStoreClient(config);
         const command = new PutKeyCommand(input);
         return await clientKVS.send(command);
     }

It also does not allow me to describe keyvaluestore, but using the library @aws-sdk/client-cloudfront it does allow me to access the description of the space, this last library does not allow me to add a key to the space so I need to use the first library

Expected Behavior

Key creation in space

Current Behavior

InvalidSignatureException: Credential should be scoped to a valid region. 
    at throwDefaultError (/var/task/node_modules/@smithy/smithy-client/dist-cjs/default-error-handler.js:8:22)
    at /var/task/node_modules/@smithy/smithy-client/dist-cjs/default-error-handler.js:18:39
    at de_PutKeyCommandError (/var/task/node_modules/@aws-sdk/client-cloudfront-keyvaluestore/dist-cjs/protocols/Aws_restJson1.js:369:20)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async /var/task/node_modules/@smithy/middleware-serde/dist-cjs/deserializerMiddleware.js:7:24
    at async /var/task/node_modules/@aws-sdk/client-cloudfront-keyvaluestore/node_modules/@aws-sdk/middleware-signing/dist-cjs/awsAuthMiddleware.js:30:20
    at async /var/task/node_modules/@smithy/middleware-retry/dist-cjs/retryMiddleware.js:31:46
    at async /var/task/node_modules/@aws-sdk/client-cloudfront-keyvaluestore/node_modules/@aws-sdk/middleware-logger/dist-cjs/loggerMiddleware.js:7:26 {
  '$fault': 'client',
  '$metadata': {
    httpStatusCode: 403,
    requestId: 'e2cdf39b-5828-4a6d-98ce-1f3b7217a564',
    extendedRequestId: undefined,
    cfId: undefined,
    attempts: 1,
    totalRetryDelay: 0
  }
}

Reproduction Steps

         const client = new CloudFrontClient({});
         const commandDescribe = new DescribeKeyValueStoreCommand({Name: String(process.env.ARN_KVS)});
         const responseDescribe = await client.send(commandDescribe);
         const input = {
             Key: sessionId,
             Value: sessionId,
             KvsARN: responseDescribe.KeyValueStore?.ARN,
             IfMatch: responseDescribe.ETag
         };
         const config: CloudFrontKeyValueStoreClientConfig = { region: "us-east-1", };
         const clientKVS = new CloudFrontKeyValueStoreClient(config);
         const command = new PutKeyCommand(input);
         return await clientKVS.send(command);
     }

Possible Solution

No response

Additional Information/Context

No response

SDK version used

@aws-sdk/client-cloudfront-keyvaluestore@3.468.0

Environment details (OS name and version, etc.)

x86_64 -> Lambda -> Node.js 18.x

Arno-Z commented 10 months ago

Issue is still present in version @aws-sdk/client-cloudfront-keyvaluestore v3.470.0

aBurmeseDev commented 10 months ago

Hi @Cristian-Pixtig @Arno-Z - thanks for reporting. I was able to reproduce this and doing more investigation as well as reaching out to the service team for their insight. I'll circle back as soon as I get updates. Appreciate your patience.

aBurmeseDev commented 10 months ago

Thanks for your patience. @Cristian-Pixtig @Arno-Z After further investigation, I found out that JS v3 is opt-in for the use of Sigv4a due to a large optional dependency on the aws-crt node bindings package. It doesn't automatically include nor dynamically import this package due to its size negatively affecting customer who don't need it.

Another thing worth mentioning, according to the Service API docs, is that if you intend to obtain a reference to a key value store, service API suggests to use DescribeKeyValueStoreCommand from the CloudFront KeyValueStore API instead of CloudFront API. Two APIs return slightly different data as mentioned below:

Both the CloudFront API and the CloudFront KeyValueStore API have a describe operation that returns data about the key value store:

  • The CloudFront API provides data such as the status and the date that the store itself was last modified.
  • The CloudFront KeyValueStore API provides data about the contents of the storage resource — the key value pairs in the store, and the size of the contents.

The describe operations in the two APIs return slightly different data that identifies the key value store:

  • The describe operation in the CloudFront API returns an ETag, the UUID, and the ARN of the key value store.
  • The describe operation in the CloudFront KeyValueStore API returns an ETag and the ARN of the key value store.

Finally, here's the code that I modified, tested and worked as expected:

    import { CloudFrontKeyValueStoreClient, PutKeyCommand, DescribeKeyValueStoreCommand } from "@aws-sdk/client-cloudfront-keyvaluestore"; 
// *** add these two imports: ***
    import { SignatureV4MultiRegion } from "@aws-sdk/signature-v4-multi-region";
    import "@aws-sdk/signature-v4-crt";
    const client = new CloudFrontKeyValueStoreClient({
        region: "us-west-2",
        signerConstructor: SignatureV4MultiRegion,  // *** add this parameter. ***
    });
    const describeInput = {
        KvsARN: "arn:aws:cloudfront::xxxxxxxx:key-value-store/xxxxxxx",
    }
    const commandDescribe = new DescribeKeyValueStoreCommand(describeInput);
    const responseDescribe = await client.send(commandDescribe);
    const input = {
             Key: 'newkey',
             Value: "newkeyvalue",
             KvsARN: responseDescribe.KvsARN,
             IfMatch: responseDescribe.ETag
         };
    const command = new PutKeyCommand(input);
    const responsePut = await client.send(command);

Hope that makes sense and let me know if you have any further questions! John

Cristian-Pixtig commented 10 months ago

Thank you very much, I tested the configuration on the client you provided, the error no longer appears @aBurmeseDev

genifycom commented 10 months ago

This affects .NET as well.

The class AmazonCloudFrontKeyValueStoreConfig does not have a method SignerConstructor so unsure how to proceed.

Any help appreciated.

    ```

BasicAWSCredentials creds = new BasicAWSCredentials(aws_access_key, aws_secret_key); AmazonCloudFrontKeyValueStoreConfig config = new(); config.SignatureVersion = "v4"; config.RegionEndpoint = RegionEndpoint.USWest1; //config.UseSignatureVersion4 = true;

    AmazonCloudFrontKeyValueStoreClient kvs = new(creds, config);
    ListKeysRequest request = new()
    {
        KvsARN = kvarn,
        MaxResults = 10
    };

    try
    {
        var result = await kvs.ListKeysAsync(request);
    }
    catch (Exception ex)
    {
        var msg = ex.Message; //Gives Credential should be scoped to a valid region. 
    }
github-actions[bot] commented 9 months ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.