The request signature we calculated does not match the signature you provided
MartinThoma opened this issue · 8 comments
I think aws-request-auth generates the headers
{'Authorization': 'AWS4-HMAC-SHA256 Credential=AKIAIYABCDEFGHIJ123A/20180406/us-east-1/sagemaker/aws4_request, SignedHeaders=host;x-amz-date, Signature=0a1234567890abcdef01234567890abcdefabcdefabcdefabcdefabcdefabcde',
'x-amz-date': '20180406T104709Z'}
and according to the error message, it should be:
The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
The Canonical String for this request should have been
'POST
/endpoints/foo-endpoint/invocations
host:runtime.sagemaker.us-east-1.amazonaws.com
x-amz-date:20180406T082536Z
host;x-amz-date
1234567890foobarfoobarfoobarboofoobarfoobarfoobarfoobarfoobarfoo'
The String-to-Sign should have been
'AWS4-HMAC-SHA256
20180406T082536Z
20180406/us-east-1/sagemaker/aws4_request
987654321abcdeffoobarfoobarfoobarfoobarfoobarfoobarfoobarfoobarf'
Looks similar to #31
Can you verify that the credentials you are passing into aws-requests-auth are still valid (.e.g. not expired etc.)?
Are you trying to use this with the sagemaker service? Despite its generic name, aws-requests-auth has only really been tested + built for use with AWS's Elasticserach service
I'm using it within Lambda to communicate with Sagemaker. Works like a charm, if I'm in the same region :-)
Would you recommend to use something else?
Interesting. Maybe the IAM creds being granted in the lambda aren't portable across regions? I've never dabbled in too much cross region stuff
Would you recommend to use something else?
Perhaps you could give requests-aws4auth and see if you get a different result?
Closing due to inactivity. Feel free to reopen and we can debug further