Invalid signature on SimpleDb calls

[rblaze]

While trying to create new sdb domain, I'm receiving error message from AWS about invalid signature. I'm sure my access key is correct, because this is last operation in the sequence of several others, which complete just fine. I'm also able to repro it in ghci.

Here is ghci session log:

...> runResourceT $ runAWS env $ send listBuckets
ListBucketsResponse' {_lbrsBuckets = Just [Bucket' {_bCreationDate = Time 2017-02-16 02:16:50 UTC, _bName = BucketName "privatecloud-2246554760"},Bucket' {_bCreationDate = Time 2017-02-16 02:16:12 UTC, _bName = BucketName "privatecloud-3408907772"},Bucket' {_bCreationDate = Time 2017-02-15 07:14:45 UTC, _bName = BucketName "privatecloud-devtest"}], _lbrsOwner = Just (Owner' {_oDisplayName = Just "blaze", _oId = Just "20af3f0492ac6a30b9299fce441f49f96e90d57169ad62524b24d5729e256180"}), _lbrsResponseStatus = 200}

...> runResourceT $ runAWS env $ send $ createDomain "foobar"
*** Exception: ServiceError (ServiceError' {_serviceAbbrev = Abbrev "SDB", _serviceStatus = Status {statusCode = 403, statusMessage = "Forbidden"}, _serviceHeaders = [("Date","Thu, 16 Feb 2017 02:24:09 GMT"),("Transfer-Encoding","chunked"),("Connection","keep-alive"),("Server","Amazon SimpleDB")], _serviceCode = ErrorCode "SignatureDoesNotMatch", _serviceMessage = Just (ErrorMessage "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details."), _serviceRequestId = Just (RequestId "7b1dd6f2-7d8e-eea2-c72d-17f20163f5c8")})

Same error for listDomains and deleteDomain. Guess this is common problem for all sdb calls.

[rblaze]

Bump: this still happens in 1.5.0

[LeifW]

Same on 1.6.0:

[Client Request] {
  host      = sdb.us-west-2.amazonaws.com:443
  secure    = True
  method    = POST
  target    = Nothing
  timeout   = ResponseTimeoutMicro 70000000
  redirects = 0
  path      = /
  query     = AWSAccessKeyId=redacted...
  headers   = date: 2018-06-26T07:30:29.288364251Z; content-type: application/x-www-form-urlencoded; charset=utf-8
  body      = Action=CreateDomain&DomainName=foo&Version=2009-04-15
}
[Client Response] {
  status  = 403 Forbidden
  headers = date: Tue, 26 Jun 2018 07:30:29 GMT; transfer-encoding: chunked; connection: keep-alive; server: Amazon SimpleDB
}
[ServiceError] {
  service    = SDB
  status     = 403 Forbidden
  code       = SignatureDoesNotMatch
  message    = Just The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
  request-id = Just 2caed883-6cda-bc16-0672-a74a4e3c13a9
}

[LeifW]

One difference I noticed in my request from the docs: In my request, Action and DomainName are in the request body, while in the docs, there is apparently no body; Action and DomainName are additional parameters in the query part of the URL: https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/SDB_API_CreateDomain.html Version is in both the query string and body of my request.

[LeifW]

The "aws" package has an SDB client that works: http://hackage.haskell.org/package/aws-0.20/docs/Aws-SimpleDb.html In a request on there I just sent, it's using POST, the query string is empty, the only headers are Date and Content-Type application/x-www-form-urlencoded; charset=utf-8, and the body consists of Signature, AWSAccessKeyId, SignatureMethod=HmacSHA256, SignatureVersion=2, Timestamp=2018-07-01T07%3A36%3A09, Version=2009-04-15, and Action=ListDomains,

[LeifW]

It looks like the postQuery used by sdb is correctly creating a POST request with the parameters as form parameters in the body, but the V2 signing method just puts the signature stuff as query params. Query params are unusual for a POST, especially a form post.

[LeifW]

Could this either be fixed, or perhaps have the package marked as deprecated on Hackage? There's already a perfectly working SimpleDB client on hackage, and I wasted a fair amount of time building around this Amazonka client, which I can't tell if it has ever worked.

[endgame]

While it would be nice to fix eventually, it's not worth holding up the 2.0 release over. it's pretty clearly not a flagship AWS product and isn't even in any remotely new regions:

Amazon SimpleDB is currently available in the US East (Northern Virginia), US West (Oregon), US West (Northern California), EU (Ireland), Asia Pacific (Singapore), Asia Pacific (Tokyo), Asia Pacific (Sydney), and South America (Sao Paulo) Regions.

I'd consider a PR if someone else had time to make one, though.

[endgame]

Jeff Barr confirms that SimpleDB is closed to new signups:

After giving it a lot of thought, we made the decision to discontinue new access to a small number of services, including AWS CodeCommit.

While we are no longer onboarding new customers to these services, there are no plans to change the features or experience you get today, including keeping them secure and reliable.

We also support migrations to other AWS or third-party solutions better aligned with your evolving needs. Keep the feedback coming. We’re always listening.

I hear you and we are making improvements so this is clearer for customers.

The services I'm referring to are: S3 Select, CloudSearch, Cloud9, SimpleDB, Forecast, Data Pipeline, and CodeCommit.

I still haven't had time to look at this, but when I do, there's a real chance I won't have access to SimpleDB. If that is the case, I will just have to close this issue WONTFIX.