Bizarre signed header issue

[pjlsergeant]

I really have no idea what's causing this, but, Amazon is rejecting the signatures produced by Net::Amazon::Signature::V4 for my requests using this module. I'm not sure where the fault lies -- is it with how this is producing header values, or a problem with the parent module?

Anyway, with the local sub-override this works, without it, I get "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details." which is just odd.

my $paws = Paws->new(
    config => {
        credentials => Paws::Credential::Explicit->new(
            access_key => 'YESTHISISBADIAMSORRY',
            secret_key => '0123456789012345678901234567890123456789',
        )
    }
);

use Net::Amazon::Signature::V4;
local *Net::Amazon::Signature::V4::_headers_to_sign = sub {
    return qw/host/;
};

my $c = Search::Elasticsearch->new(
    trace_to => 'Stderr',
    nodes =>
        'https://search-thatclustertho.eu-west-1.es.amazonaws.com:443/',
    cxn         => "AmazonES",
    cxn_pool    => 'Static::NoPing',
    region      => 'eu-west-1',
    credentials => $paws->config->credentials,
);

[pplu]

Hi!

Thanks for digging useful information around the bug. Now I realize that this module never got published to CPAN (got so close, but so forgotten...).

To try to get this fixed: When the signature fails, what headers are being signed? What are their values? What type of HTTP request are you sending to the ES?

[pjlsergeant]

It is in fact on CPAN: https://metacpan.org/pod/release/JLMARTIN/Search-ElasticSearch-AmazonES-0.02/lib/Search/Elasticsearch/Cxn/AmazonES.pm

For some reason, Google isn't indexing it

This works, when forced to host only:

GET https://redacted-redacted-redacted-redacted-1-eatmorechicken.eu-west-1.es.amazonaws.com:443/stats/_search
Date: 20180727T104724Z
Authorization: AWS4-HMAC-SHA256 Credential=DEADBEEFDEADBEEFDEAD/20180727/eu-west-1/es/aws4_request,SignedHeaders=host,Signature=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
Host: redacted-redacted-redacted-redacted-1-eatmorechicken.eu-west-1.es.amazonaws.com
Content-Type: application/json
X-Amz-Content-Sha256: 7b0178d0034c7154b81741d228da2ac98062abb1780f379dc0738f4ffe88760e
X-Amz-Date: 20180727T104724Z

This does not work, when it gets to choose its headers:

GET https://redacted-redacted-redacted-redacted-1-eatmorechicken.eu-west-1.es.amazonaws.com:443/stats/_search
Date: 20180727T104814Z
Authorization: AWS4-HMAC-SHA256 Credential=DEADBEEFDEADBEEFDEAD/20180727/eu-west-1/es/aws4_request,SignedHeaders=content-type;date;host;x-amz-content-sha256;x-amz-date,Signature=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
Host: redacted-redacted-redacted-redacted-1-eatmorechicken.eu-west-1.es.amazonaws.com
Content-Type: application/json
X-Amz-Content-Sha256: ac2a6b75c2a84afdca0220d8600565411ee1d265ea1e1a6ce99e4e01c86d5e66
X-Amz-Date: 20180727T104814Z

[pjlsergeant]

FWIW, it seems like any second header to sign causes an issue here -- if I change my above code to include content-type, it craps out. Meanwhile, the nodejs client I'm also using is fine with multiple headers. Its auth line is (NB: slightly different formatting):

Authorization: 'AWS4-HMAC-SHA256 Credential=DEADBEEFDEADBEEFDEAD/20180727/eu-west-1/es/aws4_request, SignedHeaders=host;x-amz-date, Signature=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef

[pplu]

@pjlsergeant : Can you try to adapt the code to using: https://github.com/pplu/AWSv4Signer. I haven't packaged it yet tu upload to CPAN, but it's close, and I think it will let you control exactly what headers you want or not