Error: Signature matches only once in EC2 API request

Question

I will show you my signing request.

https://ec2.eu-west-1.amazonaws.com?AWSAccessKeyId=THISISFAKEIDD
&Action=AuthorizeSecurityGroupIngress
&GroupId=sg-blahblah
&IpPermissions.1.FromPort=7264
&IpPermissions.1.IpProtocol=ani
&IpPermissions.1.IpRanges.1.CidrIp=272.64.292.200%2F32
&IpPermissions.1.ToPort=7264
&SignatureMethod=HmacSHA256
&SignatureVersion=2
&Timestamp=2014-06-10T05%3A25%3A10Z
&Version=2014-05-01
&Signature=FZgxzY0htCocacolaX4PXf0uJjnwmayhemDavkwCUw=

Signature was generated & this request was able to add my IP address (272.64.292.200) successfully into the security group (sg-blahblah). So that means, this request is correct & there is no error in my code for generating the signature.

OK. Now when I try to add another IP-address to the same group using the same signing request with a different IP-address parameter & Timestamp, a new signature is generated. But I am not able to add it to the security group. Signature Does not match. Calculated signature does not match is shown.

Why is that so?? I use UTC time. If my request was incorrect, How was I able to add IP address at the first place?? Or, is it an error from the server side of EC2??

Answer 1

It looks like you did some urlencoding, but you missed one thing... the value for the signature.

&Signature=FZgxzY0htCocacolaX4PXf0uJjnwmayhemDavkwCUw=   (incorrect)
&Signature=FZgxzY0htCocacolaX4PXf0uJjnwmayhemDavkwCUw%3D (correct)

If you urlencode this value, that should be what you are missing. Having any of =+/ unencoded in the signature will break it.