timkay / aws

Easy command line access to Amazon EC2, S3, SQS, ELB, and SDB
http://timkay.com/aws/
426 stars 125 forks source link

Support AWS SIgnature Version 4 #83

Closed kvz closed 9 years ago

kvz commented 10 years ago

Over at Transloadit we're happy users of this project. One of our customers tried to upload something to the new Frankfurt datacenters, and got the following error:

+----------------+----------------------------------------------------------------------------------------------+------------------+
| Code | Message | RequestId |
+----------------+----------------------------------------------------------------------------------------------+------------------+
| InvalidRequest | The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256. | 8779D556E0813FCE |
+----------------+----------------------------------------------------------------------------------------------+------------------+

As it turns out, this region only supports AWS Signature Version 4, and is not backwards compatible.

Any chance of supporting AWS Signature Version 4?

timkay commented 10 years ago

I'll take a look.

darkleaf commented 9 years ago

:+1:

ollym commented 9 years ago

I've just had this issue when using Transloadit. Google brought me here.

@timkay do you have an ETA on this?

timkay commented 9 years ago

What AWS products do you need supported? Just S3?

kvz commented 9 years ago

That would do it for us, yes.

On Wed, Dec 3, 2014 at 6:07 PM, Timothy Kay notifications@github.com wrote:

What AWS products do you need supported? Just S3?

— Reply to this email directly or view it on GitHub https://github.com/timkay/aws/issues/83#issuecomment-65447630.

Kevin van Zonneveld (kvz.io) Co-Founder, Transloadit (transloadit.com)

timkay commented 9 years ago

I need a bit of help. Please try http://timkay.com/aws/awsv4. (You will need to name it aws.)

AWS's v4 signature is really fussy. For example, sometimes the percent encoder needs to convert slashes, and other times it better not. Good going, Amazon!

This code works mostly. However, I have a case where the SHA256 code returns the wrong hash. I didn't write that code, but now I'll have to dig into it.

The failing case is

aws --AWS4 get test682/hello.txt?acl

If you include this script in the same directory, awsv4 will compare with the hash that Python produces. If they differ, it will print a warning to STDERR and then use the Python version of the hash.

#!/usr/bin/env python

import sys, hashlib

creq = sys.stdin.read().rstrip('\n')
print hashlib.sha256(creq).hexdigest()
timkay commented 9 years ago

It looks like SHA256 is now in Perl core, so I can switch to it. Yay. Nope. Not until 5.18, and I'm only on 5.10.

ollym commented 9 years ago

@timkay thanks mate, keep up the good work!

timkay commented 9 years ago

I am about to check in a new version. I misread the documentation before. Turns out SHA1 and SHA256 are in core since 5.10, so I'm making that the minimum supported version. It allows me to eliminate a bunch of code. "aws" gets smaller and faster, and now it supports the V4 signature algorithm. For now, V4 is supported for S3 only, but it won't be too hard to add other support.

This version does change out the encryption code, so it is slightly risky. Please let me know if you have any issues.

timkay commented 9 years ago

It would be helpful to get some feedback. Did this update address the issue? Did this update work correctly? :-)