SNS: Support signature v4
krrrcks opened this issue · 9 comments
I wanted to use the package for sending messages via SNS. I was unable to publish a message in eu-central-1 (Frankfurt); I got a "InvalidClientTokenId". All other regions worked. From the documentation I learned:
The following regions do not support Signature Version 2, regardless of which service you're using:
China (Beijing)
EU (Frankfurt)
For the above regions, you must use Signature Version 4 to sign AWS Query API requests.
From the source code I learned that V4 is already implemented for Glacier. Is there any chance that the V4 is coming for the other services?
Maybe I can help, but I have only little knowledge about the AWS APIs, signature methods and I am only a "user" of the Racket library.
Thanks for the request.
- Please see issue #36 which is about doing sig v4 for S3. The advice there (use Ireland) might be a work-around for you in the meantime? And, as with issue #36, I'm not sure how soon I can get to doing this.
- I think it's fine you opened this as its own issue, because doing v4 for each service is its own distinct chunk of work. Also, doing the work for SNS might be easier than it will be for S3 (I hope!).
- Thanks for offering to help. Unfortunately you're right, doing the signatures is the hardest part. In fact, a lot of this library is just convenience wrappers; the signatures are the biggest value-add, the stuff that you don't want to write yourself if you can avoid it. :)
Yes, I supposed from reading the documentation that v4 for services other than S3 might be easier. I could use Ireland as a workaround but my customer's workload is situated in Frankfurt and it would be nice to have everything in one region.
I feared that the signature thing is the hardest part. But if I could assist with testing, just leave me a message; it would be glad to help.
I have a commit ready to push. Would you be comfortable testing it by fetching a topic branch from GitHub (i.e. not via raco pkg update)? If so I'll push that way.
Otherwise I can push to master. On the down side, (a) I'm a bit jet-lagged and (b) Amazon doesn't seem to have SNS docs showing examples of sig v4 (only v2). However it is working for me when I update the test to run against both us-east-1 and eu-central-1. And anyway I don't think there are very many users of sns with this library. So it wouldn't be crazy to push directly to master, and have you confirm from that.
Actually I went ahead and pushed to a a branch issue-40-sns-sigv4. Please let me know if you can test it that way, or, if I should go ahead and merge to master.
By the way, you will need to set both the sns-endpoint and the new sns-region parameters. For example:
(parameterize ([sns-region "eu-central-1"]
[sns-endpoint (endpoint "sns.eu-central-1.amazonaws.com" #f)])
;; your code here
)Huuuu! That was really a fast response! I tested code from your branch for eu-west-1, eu-central-1 (us-west-1 is having some issues this morning with SNS). Everything worked. Great you managed to add that v4 signature that fast! Thanks!
Great! I'll merge to master and close this issue, for sns.
You already opened an issue for s3 (which IIRC will be much harder to do, but I'll try to tackle that).
I'll open a separate issue for each of the remaining other services where I'm not already using sig v4.
@krrrcks Could you please check the list at the milestone https://github.com/greghendershott/aws/milestones/Signature%20v4 and leave a comment on each service that you need (now or soon)? I mean other than S3, which I already know you want.
I proactively did CloudWatch, but I'm thinking for the rest I should wait until/unless someone needs it. Partly because lazy. :) But seriously, I'd be more comfortable if there were someone else testing it, besides me. So doing it on-demand is probably smarter.
And instead I could spend time on doing S3, which is both much harder (I think) and actually needed by you.