AuthFailure against cn-north-1

[ziyan]

I am trying to use packer with cn-north-1. I am stuck the following error:

2014/10/13 17:33:39 packer-builder-amazon-ebs: 2014/10/13 17:33:39 get { https://ec2.cn-north-1.amazonaws.com.cn/?AWSAccessKeyId=AKIAOTSXDIKK75XAFENQ&Action=DescribeImages&ImageId.1=ami-56bd2f6f&Signature=aO1ARGp7Za1dEYDwV7s29I97U0wiEqu6f6ByTJJy0vY%3D&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=2014-10-14T00%3A33%3A39Z&Version=2014-06-15 } -> {
2014/10/13 17:33:40 packer-builder-amazon-ebs: 2014/10/13 17:33:40 response:
2014/10/13 17:33:40 packer-builder-amazon-ebs: 2014/10/13 17:33:40 HTTP/1.1 401 Unauthorized
2014/10/13 17:33:40 packer-builder-amazon-ebs: Transfer-Encoding: chunked
2014/10/13 17:33:40 packer-builder-amazon-ebs: Date: Tue, 14 Oct 2014 00:33:40 GMT
2014/10/13 17:33:40 packer-builder-amazon-ebs: Server: AmazonEC2
2014/10/13 17:33:40 packer-builder-amazon-ebs:
2014/10/13 17:33:40 packer-builder-amazon-ebs: fe
2014/10/13 17:33:40 packer-builder-amazon-ebs: <?xml version="1.0" encoding="UTF-8"?>
2014/10/13 17:33:40 packer-builder-amazon-ebs: <Response><Errors><Error><Code>AuthFailure</Code><Message>AWS was not able to validate the provided access credentials</Message></Error></Errors><RequestID>5625fd3a-c5ce-40aa-88eb-e29e7421d135</RequestID></Response>
2014/10/13 17:33:40 packer-builder-amazon-ebs: 0
2014/10/13 17:33:40 packer-builder-amazon-ebs:
2014/10/13 17:33:40 packer-builder-amazon-ebs:
2014/10/13 17:33:40 packer-builder-amazon-ebs: }
==> amazon-ebs: Error querying AMI: AWS was not able to validate the provided access credentials (AuthFailure)

I have verified that the same credentials works with the python boto client against cn-north-1. Could this be a signature issue? I wonder if V4 is needed.

Thank you for your awesome work with goamz and packer by the way!

[ziyan]

This is the output from boto using the same credentials:

send: 'POST / HTTP/1.1\r\nAccept-Encoding: identity\r\nContent-Length: 63\r\nUser-Agent: Boto/2.32.1 Python/2.7.6 Linux/3.13.0-35-generic\r\nHost: ec2.cn-north-1.amazonaws.com.cn\r\nX-Amz-Date: 20141014T005114Z\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nAuthorization: AWS4-HMAC-SHA256 Credential=AKIAOTSXDIKK75XAFENQ/20141014/cn-north-1/ec2/aws4_request,SignedHeaders=host;x-amz-date,Signature=1e2a1c00069f9f4859323578e61180f9e4557779a874237b5368df4038116ba3\r\n\r\nAction=DescribeImages&ImageId.1=ami-56bd2f6f&Version=2014-05-01'
reply: 'HTTP/1.1 200 OK\r\n'
header: Content-Type: text/xml;charset=UTF-8
header: Transfer-Encoding: chunked
header: Vary: Accept-Encoding
header: Date: Tue, 14 Oct 2014 00:51:14 GMT
header: Server: AmazonEC2

[ritksm]

+1 this

[ziyan]

@ritksm I ended up hacking something together to make it work with cn-north-1 (at least for ec2 services) if you are interested: https://github.com/ziyan/goamz/commit/10cf078275a417a23bcd82e3b395c70f992b766a

Seems cn-north-1 really want V4 signatures. I contacted AWS China and they have not responded yet.

[ritksm]

@ziyan I will try it out. Thanks for your great work.

[igmar]

+1 this. eu-central-1 also requires v4 signatures.

[ashleydw]

+1 for the eu-central-1

[ekle]

ec2 also needs V4 signatures on eu-central-1

[ekle]

hi, i added V4 signing support for ec2 and made a pull request: https://github.com/mitchellh/goamz/pull/154 i find it a little bit strange that every aws service needs his own signing functions, but i needed to access eu-central-1 so i just replaced the old sign function. Do all regions support the new V4 signing ?

[bgentry]

@ekle according to http://docs.aws.amazon.com/general/latest/gr/sigv4_support.html all regions of the supported products support v4 signing.

[arosenhagen]

:+1:

[nchammas]

+1

The root issue here seems to be the same as the one in https://github.com/mitchellh/packer/issues/1646.

[anaptfox]

+1

[marsmensch]

+1

[femueller]

+1

[darth30joker]

same issue here with packer v0.7.5

[thereforsunrise]

+1