Some services require the AWS Security Token as part of the signature

[gozer]

Just encountered an issue using awscli against Amazon ElasticSearch service. Turns out some services require the x-amz-security-token header to be part of the signature, others don't.

I believe it's safe to just always include it in the signed payload when it's set.

From: Amazon V4 Signatures:

You can use temporary security credentials provided by the AWS Security Token Service (AWS STS) to sign a request. The process is the same as using long-term credentials, but requires an additional HTTP header or query string parameter for the security token. The name of the header or query string parameter is X-Amz-Security-Token, and the value is the session token (the string you received from AWS STS when you obtained temporary security credentials).

When you add the X-Amz-Security-Token parameter to the query string, some services require that you include this parameter in the canonical (signed) request. For other services, you add this parameter at the end, after you calculate the signature. For details, see the API reference documentation for that service.

[okigan]

header or query string parameter is X-Amz-Security-Token i think awscurl already passes that token as a headear, any insight why this does not work in your case?

[gozer]

awscurl does pass that token as a header, but doesn't include it in the signature, which is required for some services, like ElasticSearch

[okigan]

@gozer sounds good, there are couple comments on the pull request -- if can be addressed I'd love to merge this

[okigan]

@gozer bump. please update pull request -- trying to avoid it going stale.