Request is sent to RDS endpoint, but signed by docdb.
moritalous opened this issue · 1 comments
moritalous commented
I have set up sig-v4-proxy with docker-compose.
version: "3"
services:
sig-v4-proxy:
image: public.ecr.aws/aws-observability/aws-sigv4-proxy:1.5
volumes:
- ./.aws:/root/.aws
ports:
- "8080:8080"
environment:
- AWS_SDK_LOAD_CONFIG=true
command: ['-v']I request rds.ap-northeast-1.amazonaws.com, but error due to signing by docdb service
(Sometimes it would be Neptune.)
curl -s -H 'host: rds.ap-northeast-1.amazonaws.com' 'http://localhost:8080/?Action=DescribeDBInstances&Version=2014-10-31'
<ErrorResponse xmlns="http://rds.amazonaws.com/doc/2014-10-31/">
<Error>
<Type>Sender</Type>
<Code>SignatureDoesNotMatch</Code>
<Message>Credential should be scoped to correct service: 'rds'. </Message>
</Error>
<RequestId>2c8dcc75-87c9-421a-8c5d-4818489f5d0f</RequestId>
</ErrorResponse>
Log
2205-sig-v4-proxy-1 | time="2022-05-15T13:58:38Z" level=debug msg="Initial request dump:" request="GET /?Action=DescribeDBInstances&Version=2014-10-31 HTTP/1.1\r\nHost: rds.ap-northeast-1.amazonaws.com\r\nAccept: */*\r\nUser-Agent: curl/7.68.0\r\n\r\n"
2205-sig-v4-proxy-1 | time="2022-05-15T13:58:38Z" level=info msg="DEBUG: Request Signature:\n---[ CANONICAL STRING ]-----------------------------\nGET\n/\nAction=DescribeDBInstances&Version=2014-10-31\nhost:rds.ap-northeast-1.amazonaws.com\nx-amz-date:20220515T135838Z\n\nhost;x-amz-date\ne3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\n---[ STRING TO SIGN ]--------------------------------\nAWS4-HMAC-SHA256\n20220515T135838Z\n20220515/ap-northeast-1/docdb/aws4_request\n44422fd5808526e3aa2b9afc325b6b21c4cdcec2ce713f3144291252639facf9\n-----------------------------------------------------"
2205-sig-v4-proxy-1 | time="2022-05-15T13:58:38Z" level=debug msg="signed request" region=ap-northeast-1 service=docdb
2205-sig-v4-proxy-1 | time="2022-05-15T13:58:38Z" level=debug msg="proxying request" request="GET /?Action=DescribeDBInstances&Version=2014-10-31 HTTP/1.1\r\nHost: rds.ap-northeast-1.amazonaws.com\r\nAccept: */*\r\nAuthorization: AWS4-HMAC-SHA256 Credential=AKIA3SSOAQIFEARL35XE/20220515/ap-northeast-1/docdb/aws4_request, SignedHeaders=host;x-amz-date, Signature=785a279627141c870d8d6db25ab3a4d67f1191949ba067cb1f78187a2fa01d5c\r\nUser-Agent: curl/7.68.0\r\nX-Amz-Date: 20220515T135838Z\r\n\r\n"
2205-sig-v4-proxy-1 | time="2022-05-15T13:58:39Z" level=error msg="error proxying request" message="<ErrorResponse xmlns=\"http://rds.amazonaws.com/doc/2014-10-31/\">\n <Error>\n <Type>Sender</Type>\n <Code>SignatureDoesNotMatch</Code>\n <Message>Credential should be scoped to correct service: 'rds'. </Message>\n </Error>\n <RequestId>a717e22d-0016-4c7c-b1c2-cebbb01ff9b3</RequestId>\n</ErrorResponse>\n" request="GET https://rds.ap-northeast-1.amazonaws.com/?Action=DescribeDBInstances&Version=2014-10-31" status_code=403
Request to ec2 endpoint, work fine.
curl -s -H 'host: ec2.ap-northeast-1.amazonaws.com' 'http://localhost:8080/?Action=DescribeInstances&Version=2016-11-15'
alvinlin123 commented
This is interesting, I will take a look. But as a workaround, you can use--name rds to override the service name.