Reputation: 493
AWS Signed URL issue
I try to send request to AWS with signature using AWS Signature v4 Implementation for Web Browsers.
My request look like: GET /test?id=ID-12
I get the 403 error with message like:
The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
The Canonical String for this request should have been
'GET
/test
accept:*/*
...
so, as you see, here no param, which I think the issue, but what I don't understand, how AWS can make a suggestion about what should have been? I mean signature is represent by hash, no? Or I'm missing something? Thanks in advance!
Upvotes: 0
Views: 259
Answers (1)
Reputation: 10824
Simplifying the process a bit, AWS uses HMAC to generate the signature.
One of the key principles is that HMAC does not encrypt the message. The message must be sent alongside the HMAC hash. The receiving side will calculate the HMAC again and verify the results.
AWS explicitly talks a bit about this in the Signature Documentation:
When an AWS service receives the request, it performs the same steps that you did to calculate the signature you sent in your request. AWS then compares its calculated signature to the one you sent with the request. If the signatures match, the request is processed. If the signatures don't match, the request is denied.
To answer your explicit question: The string they're showing you that they used to generate the "Canonical String" is derived from the HTTP request itself. The HTTP type as "GET" in the first line, the path passed to GET on the second line, and so on.
In other words, they're expecting the caller to understand what the request will look like, generate the Canonical String themselves beforehand, run their signature algorithm on it and the shared secret of the Access Key's Secret, and include the resulting hash in the request. Then on their side they take elements from the HTTP request, run this process again, and verify the result is correct.
For your failure, if you post how you're generating the presigned URL, we might be able to diagnose where the failure is.
Upvotes: 2
Related Questions
- AWS S3 signed URLs with aws-sdk fails with "AuthorizationQueryParametersError"
- Generate a Pre-signed URL Using the AWS SDK for Java
- AWS node.js SDK error - SignatureDoesNotMatch: Signature expired
- SignatureDoesNotMatch on S3 PUT Request to Presigned URL
- Pre-signed URL with SSE
- How to use AWS SDK for request signing
- Aws iOS sdk Pre-singed url giving "SignatureDoesNotMatch" error
- Unexpected v4 signed url using com.amazonaws:aws-java-sdk 1.11.18
- Signature Does Not Match 403 error when signing a URL via aws-sdk-go
- AWS signature does not match