Hey,

I'm using this library to sign requests to an AWS ES Service endpoint. Basic requests work fine, but those with a * have a signing error:

The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

The Canonical String for this request should have been
'GET
/.kibana-4/_mapping/%252A/field/_source
_=1447104608354
...

The canonical request generated by go-aws-auth only single-encoded the symbol:
/.kibana-4/_mapping/%2A/field/_source

Adding another encodePathFrag() call around the existing one in normuri() fixed the request.

Docs don't talk much about this but a spec on node's aws-sdk checks that URIs are double-encoded for non-S3 endpoints only. https://github.com/aws/aws-sdk-js/blob/333b9d1507a70c8e5b6459a1b513f9fcddd16457/test/signers/v4.spec.coffee#L124

I'm using the lib for ec2 service.
For url :
https://ec2.eu-central-1.amazonaws.com/?ImageId=ami-9bf712f4&MaxCount=1&MinCount=0&Action=RunInstances

when I use the Sign() func, I get response 401 :

<?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>AuthFailure</Code><Message>AWS was not able to validate the provided access credentials</Message></Error></Errors><RequestID>4bfd2d54-242d-4d4b-bfe5-768339e1559a</RequestID></Response>.

when I use the Sign4() func I get http response 500:

<?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>InternalError</Code><Message>An internal error has occurred</Message></Error></Errors><RequestID>823256fe-0681-4578-862e-fa3458b84686</RequestID></Response>

Any idea?

Just trying out signing a request for S3 but I get

The request signature we calculated does not match the signature you provided. back from amazon.

I like the light approach of only signing http.Request if it would work.

Issue #13 addressed the thread safety of signing requests, but highlighted that now the credentials are potential hazards for race conditions.

I am not sure why the "signMutex" is necessary for concurrent access to the signing version map. In go maps are safe for concurrent access for any number of readers, it's only when something else may be writing to the map that you would need to protect it:

https://groups.google.com/forum/#!msg/golang-nuts/HpLWnGTp-n8/hyUYmnWJqiQJ

Unless I am missing something, the global map is never written to.

When I print the response, I get a 403 Forbidden with the following error MissingAuthenticationTokenException. I have nevertheless added the SecurityToken generated with

$ aws sts get_session-token

What am I doing wrong ? The error should be at least : WrongToken

Thank you

Edit

After calling :

awsauth.Sign(req)

req.Header is an empty map. Shouldn't it be populated with signed attributes ?

Edit 2

You may have inverted indexes, at least for my issue where host = "https://xxxxxxxxxx.execute-api.us-east-1.amazonaws.com"

Should be :

• service at index 1
• region at index 2

https://github.com/smartystreets/go-aws-auth/blob/0c1422d1fdb9fef5a1ad5b2e13ac663467eb767e/common.go#L49-L50

With API Gateway, you need to sign your URL if you have AWS_IAM authentication enabled and this would be a great service to use if it supported it. Unfortunately, if you are using custom domain with API Gateway, you can't derive the service and region from the URL like you can with other API requests. There should be another method similar to Sign4 that allows the user to manually provide the region and service (execute-api for API Gateway).

Route 53 is not like the others; it apparently uses a custom authentication scheme (Signed Signature Version 3?).

See comments at the end of issue #2 for more info. Currently looking into this.

Right now I am trying to sign requests to AWS Elasticsearch service, and those domains are in the form:

https://search-[domain]-[id].[region].es.amazonaws.com

My request are failing because they're defaulting to us-east-1 and service is also incorrect.

Looks like this is fixed by #27

Is Keys really a good name for it? It stores the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY, but only ever 1 pair at a time. It's just a type named Credentials, a struct with those two values. What would be a better name? Credential?

The following test for an SQS resource, succeeds with Sign2, but fails when Sign4 is substituted, otherwise code is identical. Error code returned is 403 forbidden.

package main

import (
    "fmt"
    "awsauth"
    "log"
    "net/http"
    "net/http/httputil"
)


const kAccessKeyID = "ACCESSKEY"
const kSecretAccessKey = "SECRETKEY"
const kAWSAccountID = "###########"
const kQueueName = "testqueue"

func main() {

    awsauth.Keys = &awsauth.Credentials{ kAccessKeyID, kSecretAccessKey }

    url := "https://sqs.us-east-1.amazonaws.com/" + kAWSAccountID +
        "/" + kQueueName +
        "?Action=SendMessage&Version=2012-11-05&MessageBody=YesHelloWorldmessage"

    client := &http.Client{}

    req, err := http.NewRequest("GET", url, nil)
    out, _ := httputil.DumpRequestOut((*http.Request)(req), true)
    fmt.Printf("%s\n", string(out))

    //awsauth.Sign4(req)   // This fails
    awsauth.Sign2(req)   // This succeeds
    out2, _ := httputil.DumpRequestOut((*http.Request)(req), true)
    fmt.Printf("%s\n", string(out2))

    resp, err := client.Do(req)
    if err != nil {
        log.Fatal(err)
    }

    fmt.Println(resp.StatusCode)
    fmt.Println(resp.Status)
}

This way IAM roles can be utilized within EC2 instances.

I may be wrong (let me know), but I think the process is simple:

GET http://169.254.169.254/latest/meta-data/iam/security-credentials/<role-name>

where <role-name> is the name of an IAM role (I presume it must be assigned to that instance?).

Sample output:

{
  "Code" : "Success",
  "LastUpdated" : "2012-04-26T16:39:16Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "AKIAIOSFODNN7EXAMPLE",
  "SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
  "Token" : "token",
  "Expiration" : "2012-04-27T22:39:16Z"
}

There's also this API call using Security Token Service... I've actually not used either of these features before, though... someone is welcome to dive in and add this functionality if they desire it sooner than later!

If this is as simple as providing an IAM role name (or even simpler), then perhaps the library could do this implicitly: if awsauth.Keys has not been set, and it can't find environment variables with the credentials, then it could automatically suppose it's on an EC2 instance and get security credentials. It would just have to keep track of the expiration date...

My code is the following:

func (o *AWSHandler) InteractWithMethod(method, u string, values url.Values, header http.Header) (*http.Response, error) {
    var req *http.Request
    var err error

    values.Add("AWSAccessKeyId", o.config["access_key"])
    values.Add("Timestamp", time.Now().Format("2006-01-02T15:04:05Z"))
    values.Add("SignatureVersion", "3")
    if method == "GET" {
        req, err = http.NewRequest(method, u+"?"+values.Encode(), nil)
    } else {
        req, err = http.NewRequest(method, u, bytes.NewBufferString(values.Encode()))
    }
    req.Header = header
    if err != nil {
        return nil, err
    }
    awsauth.SignS3Url(req, time.Now().Add(time.Duration(10)*time.Second), awsauth.Credentials{
        AccessKeyID:     o.config["access_key"],
        SecretAccessKey: o.config["access_secret"],
    })
    resp, err := o.client.Do(req)
}

And here is the response I get:

<?xml version="1.0"?>
<ItemSearchErrorResponse xmlns="http://ecs.amazonaws.com/doc/2005-10-05/"><Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.</Message></Error><RequestId>227b35f0-bd51-4fe0-9896-aa54c25f5c68</RequestId></ItemSearchErrorResponse>

I'm pretty sure my keys are correct...

I've followed the instructions:

go get github.com/smartystreets/go-aws-auth
import "github.com/smartystreets/awsauth" into main.go

When I compile:

cannot find package "github.com/smartystreets/awsauth" in any of:
/usr/local/go/src/pkg/github.com/smartystreets/awsauth (from $GOROOT)
/Users/sc28/projects/src/github.com/smartystreets/awsauth (from $GOPATH)

I changed to the pkg directory and deleted the .a file, went to the source directory and rebuilt/installed - running go test worked fine and the .a is refreshed in the pkg directory - same error.

Not sure why path isn't found - the package .a file is found in the $GOPATH/pkg/darwin_and64/github.com/smartystreets/ folder

The GOPATH is looking for awsauth in the smartystreets folder, where as the go get command seems to install it to the go-aws-auth folder in smartystreets

There's an alternative form of S3 authentication which makes it easy to serve files (by a certain expiration date) with only a URL, no fancy headers required.

• Introduction
• Implementation details

Announcement:

This repository (go-aws-auth) will soon be archived and will subsequently be removed on September 1, 2018. Between now and then, any who wish may fork the repo and continue development on said forks.

Background

We have come to the realization that our usage of this package is limited to only 2 aws operations:

• S3: GetObject
• S3: PutObject

So, we have opted to create a separate, single-purpose library to accomplish this specific purpose and replace go-aws-auth. We realize that there are those who have much grander ambitions for this library and we're sorry we haven't engaged with your issues and pull requests--we just no longer have a need for the kind of general-purpose AWS signing library that this package originally set out to be. Also, we created this repo when there were no official AWS SDKs for go (v1 and v2). There's also the recently released go-cloud SDK to think about now, too.

That's all for now. Thanks for reading!

Since working with the http.Client and creating new requests is usually safe from multiple goroutines, I would like to suggest either guarding the things in awsauth that manipulates http.Requests with a mutex or getting rid of the shared states as well.

I'm not entirely sure which parts of it might need changes but the race detector complained on using Sign4 for my requests on multiple routines.

I had need for a different query-string-based SigV4 signing for AWS IoTData service. The mechanism is quite different from the S3 or ES signing mechanism (already implemented in this library), so I wrote a new function to provide a SigV4 query string signing mechanism intended rather narrowly for the IoTData service for MQTT-over-WebSocket URIs, such as
wss://data.iot.us-east-1.amazonaws.com/mqtt
or account-specific endpoint like
wss://ABCD1234EFGH56.iot.us-east-1.amazonaws.com/mqtt
to produce output like
wss://ABCD1234EFGH56.iot.us-east-1.amazonaws.com/mqtt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=...
Implemented in a separate file for convenience for now,
brianfaull@105b5fb
It uses a different signature than the S3-signing mechanism, handling URIs merely as string rather than embedded within http.Request for practical reasons.
I hope this is helpful. Feel free to incorporate it if you'd like. Alternatively, if you have requests for better integration and a proper pull-request, let's talk more.

Right now setting the Host header to the value of request.Host may also include the port (if specified) and causes an incorrect canonicalURL string to get hashed.

Looks like this is fixed by PR #27

Any chance you could tag a release? coreos/rkt much prefer to only depend on tagged projects (see rkt/rkt#2428). As they put it:

Please consider assigning version numbers and tagging releases. Tags/releases
are useful for downstream package maintainers (in Debian and other distributions) to export source tarballs, automatically track new releases and to declare dependencies between packages. Read more in the Debian Upstream Guide.

Versioning provides additional benefits to encourage vendoring of a particular (e.g. latest stable) release contrary to random unreleased snapshots.

Versioning provides safety margin for situations like "ops, we've made a mistake but reverted problematic commit in master". Presumably tagged version/release is better tested/reviewed than random snapshot of "master" branch.

The magic code for parsing service/region from the service domain does not work in our environment since we refer to our services via an indirect CNAME which does not follow the AWS format.

If we could explicitly provide service and region this would not be an issue. Will attach PR with workaround.