Sign2 succeeds, but Sign4 403 forbidden about go-aws-auth HOT 9 CLOSED

Does it work if you just use the Sign() method?

from go-aws-auth.

Hi Matt,

No, that doesn't work either. However, I did figure out the issue.

This works:
"?Action=SendMessage&MessageBody=YesHelloWorldmessage&Version=2012-11-05"

This fails:
"?Action=SendMessage&Version=2012-11-05&MessageBody=YesHelloWorldmessage"

Amazon requires the parameter keys in canonical order (i.e. alphabetical).
Not being an expert on AWS signing, this was not initially obvious to me.
At first I thought I had an issue with either the auth keys or the user's
permissions or I suspected my key was missing padding for the hmac call.

Thanks,
Michael
p.s.
Well written library overall!

On Sat, Jan 25, 2014 at 10:18 AM, Matt [email protected] wrote:

Does it work if you just use the Sign() function (without specifying a
version)?

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/2#issuecomment-33295680
.

from go-aws-auth.

Thanks, and yes, the canonical ordering does seem right. Hm, I wonder how the tests are passing, then. It's been a while since I've looked at this code, but when I get a chance, I'll dive in and try to figure out why the request's parameters aren't being ordered properly.

from go-aws-auth.

@mikev I'm able to reproduce this -- looks like the tests just got lucky. I'll work on a fix.

Update: Well, that was quite easy. Silly me. Thanks for the report!

from go-aws-auth.

Cool. Thanks!

On Sun, Jan 26, 2014 at 12:24 PM, Matt [email protected] wrote:

@mikev https://github.com/mikev I'm able to reproduce this -- looks
like the tests just got lucky. I'll work on a fix.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/2#issuecomment-33329067
.

from go-aws-auth.

Hi Matt,

Any chance to add Sign3 (Signature version 3)? It is used by AWS Route53
which is a rather important API for production services.

Best,
Michael

On Sun, Jan 26, 2014 at 4:47 PM, Michael Vierling [email protected]:

Cool. Thanks!

On Sun, Jan 26, 2014 at 12:24 PM, Matt [email protected] wrote:

@mikev https://github.com/mikev I'm able to reproduce this -- looks
like the tests just got lucky. I'll work on a fix.

Reply to this email directly or view it on GitHubhttps://github.com//issues/2#issuecomment-33329067
.

from go-aws-auth.

Oh. Version 3?? I've never heard of it. Googling Route53 authentication, though, I see this documentation. I'm not sure that it's called Version 3, but it definitely appears to be its own authentication scheme.

I can look into adding support for it. For a quicker turnaround, you're welcome to take a stab at it. A good starting point would be s3.go and s3_test.go, which has a similar procedure. I hope to get to this soon, as I agree, it's an important addition.

from go-aws-auth.

OK, draft working code enclosed. I tested against route53 and the
authentication works , but is missing a GUID generator. The source code
for the .Net AWS SDK which is authored by Amazon, was a good reference.
https://github.com/aws/aws-sdk-net/blob/10fef6f83449b416044573b0cf39ea3c6621edd7/AWSSDK_DotNet35/Amazon.Runtime/Internal/Auth/AWS3Signer.cs

Cheers,
Michael

On Thu, Jan 30, 2014 at 6:07 AM, Matt [email protected] wrote:

Oh. Version 3?? I've never heard of it. Googling Route53 authentication,
though, I see this documentationhttp://docs.aws.amazon.com/Route53/latest/DeveloperGuide/RESTAuthentication.html.
I'm not sure that it's called Version 3, but it definitely appears to be
its own authentication scheme.

I can look into adding support for it. For a quicker turnaround, you're
welcome to take a stab at it. A good starting point would be s3.go and
s3_test.go, which has a similar procedure. I hope to get to this soon, as I
agree, it's an important addition.

Reply to this email directly or view it on GitHubhttps://github.com//issues/2#issuecomment-33690185
.

from go-aws-auth.

@mikev Hm, if you attached something, it didn't come through.

What about a pull request? Or you could email me directly with the attachment. Thanks for the link, by the way -- I'll take a look soon.

Update: Got your email. Cheers. I'm going to put this into a new issue; I'm starting on this on Saturday!

from go-aws-auth.