aws4: InvalidSignatureException on non-GET requests

I’m unsure if this is related to; https://github.com/mhart/aws4/issues/23 as I was unclear how it was actually resolved.

I can perform GET requests just fine which are authorised correctly, however, as soon as I try and do POST or PUT (I would assume DELETE too), I get a 403 InvalidSignatureException error. These hits also don’t get logged to CloudWatch although the OPTIONS request seems to go through fine (and gets logged).

I’m using jQuery to make my requests like so;

var API = {
        /**
         * Make an XHR request, butchered from https://github.com/remy/libraries
         * @param  {string}   type     The request type (GET, POST, PUT)
         * @param  {string}   url      The URL to call
         * @param  {mixed}   opts     Callback function, or set of options
         * @param  {Function} callback Callback function, should take 2 params, err and repsonse
         * @return {XHRHttpRequest}            [description]
         */
        request: function (type, url, callback) {
            var host = CONFIG.API_ENDPOINT;
            var path = "/" + CONFIG.API_ENV + url;

            // Sign the request
            var opts = aws4.sign({
                host: host,
                path: path,
                service: 'execute-api',
                region: CONFIG.REGION
            },
            {
                accessKeyId:CONFIG.ACCESS_KEY,
                secretAccessKey: CONFIG.SECRET_KEY,
                sessionToken: CONFIG.SESSION_TOKEN
            });

            // Because we can't actually send the host header (chrome throws an error)
            delete opts.headers.Host;

            return $.ajax({
                type: type,
                url: "https://" + opts.host + opts.path,
                headers: opts.headers
            });
        }
    };

    API.get = API.request.bind(this, 'GET');
    API.post = API.request.bind(this, 'POST');
    API.put = API.request.bind(this, 'PUT');

Here’s the Request and Response I’m sending / receiving;

General

Request URL:https://******/
Request Method:PUT
Status Code:403 Forbidden
Remote Address: *.*.*.*:443

Request Headers

Accept:*/*
Accept-Encoding:gzip, deflate, sdch, br
Accept-Language:en-US,en;q=0.8
Authorization:AWS4-HMAC-SHA256 Credential=ASIAJ2FOGYMTXFJOUQQA/20160830/us-east-1/execute-api/aws4_request, SignedHeaders=host;x-amz-date;x-amz-security-token, Signature=bdb46e463dfa55650541852d2657eddb02d554db3720904358102efe28b70adf
Cache-Control:no-cache
Connection:keep-alive
Content-Length:0
Content-Type:application/json
Pragma:no-cache
Origin:http://bitc.dev
Referer:http://bitc.dev/
User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
X-Amz-Date:20160830T163359Z
X-Amz-Security-Token:FQoDYXdzEC8aDLz6H08kKi8EUa+PhCL1BMCs+sZpuhnQL8nSPtxV8prSuWX3Sq0Lks8/MQfbOWQun0Qv4O+/TWQ4lpVNkZi+33apxAAutU0xN3v4xVIWAmd94QlU+xjplHsgxYblt7eVhqCNZ2T9ZgXCthtVJsJNLU6/CM0eQHyHpOotUgqFDNcL1Y7rXYTXMZZJCBm8OnKDj2lgjXeE5VIbXwKNrAmqQvzmeI4upEyuxcfiyZ4Nxuwx+QoecMIn5iGJ+E/p7s8f81uXtD83Y41SswU869mn8syvUGfGRqKYth/dihRImYkq0Aoohke9xjfZ/C9JsXr2cnp0PENBuxLrGHNc3d8wUY5ZvktYavw78fZbKc4kHQb1wM1VMDr6FQzrnjjNzvUr1C35YIGw5hoHYm+U1AJc7bztqFB1gjNc6rghJnpcG3mTgUhkFje+rIeshHteKUgWX6TW6fpj814evibExvMQSTfkAa6kGlXl5GjqW1hwTJ9i27ixSCMCrRnb/jO6YbjqCVkrWkqSg8IqxWEEkS2C4Dcu2CYsuN+LP0/KZJ6DxSfur27LnppVcKE7B+NwwidxM8l4adU4/uI/W9XQYWtSLCdbj10OayI4GzOQxpeOhDPQdPlPI5OnBMIRgVEHnuDDLuT3pfgL18d2sqES3W+SWxbawR/Jm7Z1bClo+Kiry2epSXn550Lr3GXr3UzBSJvJOzYa5v77QZadoDCrGX2g0yqpMypbWeAu5zckKV/ePl14lbGW/65WT0rC9SxbPVrdhRoKUJQZSpwz03izg9IfpoY4xiyMqgviueqEtYn5TbWXT4u5U3Z2yHQdg/SIdxORaHpIgSlPLfP359zDZpBBJ4IkYEnMKKmRlr4F

Response Headers

Connection:keep-alive
Content-Length:1552
Content-Type:application/json
Date:Tue, 30 Aug 2016 16:43:49 GMT
Via:1.1 c77b51ad135b3319a54e2e40de778962.cloudfront.net (CloudFront)
X-Amz-Cf-Id:UqkPTl73hkNEghrrxVBI1czDjZY2TNd3fvBWCcDHRtS1lGpSDb15yA==
x-amzn-ErrorType:InvalidSignatureException
x-amzn-RequestId:ed00bbcd-6ed0-11e6-b916-6db2f5be0977
X-Cache:Error from cloudfront

I have tried with setting with and without a ‘body’ value on the request with the same error.

About this issue

  • Original URL
  • State: closed
  • Created 8 years ago
  • Comments: 24 (14 by maintainers)

Most upvoted comments

Right, well API Gateway requires you to setup Mapping Templates for the correct Content Type – http://docs.aws.amazon.com/apigateway/latest/developerguide/request-response-data-mappings.html#transforming-request-response-body

I had just assumed you had done that for application/x-www-form-urlencoded because you said that’s what you wanted to send in

+1
mhart on Aug 31, 2016

Sorry, that was an old bit of code, I am signing with the method;

image

+1
Dayjo on Aug 31, 2016
Read more comments on GitHub
← aws4: Aws Sign4 wrong calcualation
Dynamic: Catalyst NSStatusBar with NSStatusBar not working →