elastic search: request signature we calculated does not match the signature you provided

Question

elastic search: request signature we calculated does not match the signature you provided

sedflix opened this issue 2 years ago · 1 comments

Example of logs we got:

time="2022-08-11T11:14:37Z" level=debug msg="Initial request dump:" request="GET /// HTTP/1.1\r\nHost: es\r\nAccept-Encoding: gzip\r\nContent-Type: application/json\r\nUser-Agent: Go-http-client/1.1\r\n\r\n"
time="2022-08-11T11:14:37Z" level=info msg="DEBUG: Request Signature:\n---[ CANONICAL STRING ]-----------------------------\nGET\n///\n\nhost:##url##\nx-amz-date:20220811T111437Z\nx-amz-security-token:##token##\n\nhost;x-amz-date;x-amz-security-token\n##Token##\n---[ STRING TO SIGN ]--------------------------------\nAWS4-HMAC-SHA256\n20220811T111437Z\n20220811/ap-south-1/es/aws4_request\n33f78ea95c2ddcfdd4012d605b9319cbeccf397ac351e39ad4b5d8b6e85e47bc\n-----------------------------------------------------"
time="2022-08-11T11:14:37Z" level=debug msg="signed request" region=ap-south-1 service=es
time="2022-08-11T11:14:37Z" level=debug msg="proxying request" request="GET /// HTTP/1.1\r\nHost:##url##\r\nAccept-Encoding: gzip\r\nAuthorization: AWS4-HMAC-SHA256 Credential=ASIAY63QBOGXGV7L7YVF/20220811/ap-south-1/es/aws4_request, SignedHeaders=host;x-amz-date;x-amz-security-token, Signature=55aea73d7d56110bcd420a946c324f360a0516dd8f54daf5090045ce4e85c6c2\r\nContent-Type: application/json\r\nUser-Agent: Go-http-client/1.1\r\nX-Amz-Date: 20220811T111437Z\r\nX-Amz-Security-Token: ##token##\r\n\r\n"
time="2022-08-11T11:14:37Z" level=error msg="error proxying request" message="{\"message\":\"The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.\"}" request="GET https://##url##///" status_code=403

I can see the initial request is like

GET /// HTTP/1.1
Host: es
Accept-Encoding: gzip
Content-Type: application/json
User-Agent: Go-http-client/1.1

Given stackover question, #15, #13, I belive it's an issue with some extra "///" in the url or some redirecting issue.

Answer 1 · 2023-07-07T13:20:09.000Z

Hi, we have the same issue, if we can get update for it:

It looks to me that aws-sigv4-proxy v1.7 (We tried v1.0 we didn't face any issue) doesn't seem to like double-escaped characters in the URLs that it proxies, specifically the commas:

%2C is the ASCII Code of comma(,)

%252C is a double encoded version of the comma (%25 is actually a % character, that's what makes '%252C' double escaped)

for instance, jaeger-query is submitting a double-escaped URL:

jaeger-service-XXXXX%252Cjaeger-service-XXXXX%252Cjaeger-service-XXXXX%252Cjaeger-service-XXXXX/_search

and aws-sigv4-proxy rejects it with 403 error and replies "\n\nThe String-to-Sign should have been\n" :

jaeger-service-XXXXX%2Cjaeger-service-XXXXX%2Cjaeger-service-XXXXX%2Cjaeger-service-XXXXX/_search

can reproduce the issue, see below:

aws --profile XXXXXX ecs execute-command --cluster XXXX --task XXXXX --container signature-proxy --region XXXXX--command "sh" --interactive

/ # wget -O - http://127.0.0.1:9201//

Connecting to 127.0.0.1:9201 (127.0.0.1:9201)

wget: server returned error: HTTP/1.1 403 Forbidden

notice the extra leading slash (/) in wget above, it trips the aws-sigv4-proxy same way that %252C does