Request signing not working

[jbvsmo]

I started implementing a very similar project (I've implemented the EventStream format and data serialization) this week and I was having trouble with the signature process so, when I asked around, they pointed me to this which I thought would save me a couple weeks worth of work, but then I hit the same road bump with your test program.

Possibly I'm just too early to the party, but is it supposed to sign requests correctly at this stage? I have ~/.aws/credentials and ~/.aws/config setup correctly since I use many other stuff on AWS.

Below is the 403 server response.

The Canonical String for this request should have been
'POST
/stream-transcription

host:transcribestreaming.us-east-1.amazonaws.com
x-amz-date:20200730T190952Z
x-amzn-transcribe-language-code:en-US
x-amzn-transcribe-media-encoding:pcm
x-amzn-transcribe-sample-rate:16000

host;x-amz-date;x-amzn-transcribe-language-code;x-amzn-transcribe-media-encoding;x-amzn-transcribe-sample-rate
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'

The String-to-Sign should have been
'AWS4-HMAC-SHA256
20200730T190952Z
20200730/us-east-1/transcribe/aws4_request
c3580f4aec147e0b2c57bba5c07f5325fb911dbd7848730b9e90633e147269f7'

[nateprewitt]

Hi @jbvsmo,

Thanks for reaching out about this. The v0.1.0 release should be signing and round tripping correctly with Transcribe Streaming. At first glance, I'm not sure why we'd be producing an incorrect hash for the String to sign. Could you provide some more details about how you're using the library and your credential setup?

Assuming it's a direct copy paste from the README, the library we use for auth will source credentials in the following order:

1. Environment Variables: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN
2. Environment Variable: AWS_PROFILE
3. The default profile in ~/.aws/credentials

One other thing to check is passing a StaticCredentialResolver. You can instantiate this class with your access_key_id, secret_access_key, and session_token and pass it to the client as the credential_resolver parameter. That will bypass the resolution and help us narrow down if this is an environment or credential issue.

[jbvsmo]

Thanks for the swift response. I know my credentials were correctly fetched from the default profile as my debugger will show:

I am testing latest code on the develop branch, so I need to switch back to version v0.1.0?

[nateprewitt]

There shouldn't be any differences with credentials between v0.1.0 and the current HEAD (42d4e78) of develop.

[jbvsmo]

I first ran the code exactly as shown on the README, but then I changed region to my default hoping it would change something, but both display same exact message.

[jbvsmo]

@nateprewitt I decided to switch to another AWS account credentials and somehow on this other one it works correctly! I don't know what might be misconfigured on the 1st account, but sorry for the inconvenience. I use the default account for many things, and the console works for Transcribe service...

[joguSD]

@jbvsmo That's good to hear.

For clarity, when using the default profile with another tool (such as the AWS CLI) you're able to make calls correct? But when using this SDK you're getting signature mismatch issues?

I'm curious if there's a discrepancy parsing the config/credential files between this SDK and other tools. Perhaps there's some trailing whitespace or file encoding issues that are impacting how the key/secret are being loaded?

[jbvsmo]

@joguSD I thought you were correct when I added trailing whitespace and newlines, but I had switched back to original default account. If you read my previous message, disregard it.

I have now reordered and mixed the elements on the file but still my original account fails and the second one still works.

The string I see on the debugger is the exact string on the credentials file

[joguSD]

Does the information here on "signature does not match" help at all? https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-troubleshooting.html#tshoot-sig-time-off

I'm wondering if it's related to any of those "special" characters or clock skew.

[jbvsmo]

I will check, but I guess this issue can be closed