amplify-js: Q: API: 403 The request signature we calculated does not match the signature you provided

I created API through awsmobile could-api and it looks like this

      hello: !com.amazonaws.mobilehub.v0.API 
        attributes:
          name: hello
          requires-signin: true
        paths:
          /hello: !com.amazonaws.mobilehub.v0.Function 
            name: hello
            codeFilename: uploads/hello-20171214123204.zip
            handler: lambda.handler
            enableCORS: true
            runtime: nodejs6.10
            environment: {}
          '/hello/{proxy+}': !com.amazonaws.mobilehub.v0.Function 
            name: hello
            codeFilename: uploads/hello-20171214123204.zip
            handler: lambda.handler
            enableCORS: true
            runtime: nodejs6.10
            environment: {}

When I call it without query parameters API.get('hello', '/hello') it works fine, but if I add anything to query e.g. API.get('hello', '/hello?name=John') I will get following error

403 {“message”:“The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.”}

Is my configuration wrong or what I am doing wrong?

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Comments: 15 (4 by maintainers)

Most upvoted comments

@roosi @ephopper when you pass query string parameters, you need to pass them as part of the init argument object with the queryStringParameters object on the API request. This is because the rest api setup with the cli is a lambda proxy integration:

let items = await API.get('sampleCloudApi', '/items', {
  'queryStringParameters': {
    'test': '1'
  }
});

You can then access them within Lambda on the event["queryStringParameters"]['...']

+6
mlabieniec on Dec 29, 2017

I’m using aws-amplify-react-native and was running into this issue as well. After digging around for a bit, it appears to be coming from the canonical_request function in Signer.js. (in aws-amplify, it appears to be the same in Signer.ts) the return statement shows: return [request.method || '/', url_info.path, … however this should be url_info.pathname instead of url_info.path url_info.path includes the query string along with the path, whereas url_info.pathname is simply the path by itself. Also, if your query string has more than one parameter it will throw the same 403 error due to the parameters not being sorted per the signature version 4 specs. When I sort the parameters and modify the return statement appropriately, my calls are successful

var sorted_query = url_info.query ? url_info.query.split('&').sort((a,b) => a < b ? -1 : 1).join('&') : '';
return [request.method || '/', url_info.pathname, sorted_query, canonical_headers(request.headers), signed_headers(request.headers), hash(request.data)].join('\n');

This helps with GETs. There’s still an issue with PUTs though.

+2
ephopper on Dec 25, 2017

nevermind, something really freaky mustve occurred when I made the amplify user. I see in .aws/credentials after the key it for some reason appended the characters " Hide"… no clue how that happened. Any ideas? Either way, amplify init is working now that I’ve removed that.

+1
tetreault on Feb 10, 2019

Any updates on this? This makes API unusable.

+1
roosi on Dec 27, 2017
Read more comments on GitHub
← amplify-js: PushNotification does not appear to add device token to endpoint
amplify-js: React Native - AWSS3Provider - ensure credentials error cannot get guest credentials →