By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

HOw to generate and validate sigV4

0

I am making an API call to S3 using boto3 with the following code, which is working as expected:

import boto3
boto3.set_stream_logger(name='botocore')

s3 = boto3.resource(
    's3',
    aws_access_key_id="aws_access_key_id",
    aws_secret_access_key="aws_secret_access_key",
    region_name="us-east-1", # Region name here that matches the endpoint
    endpoint_url="https://myendpoint" # Include your namespace in the URL
)
  
# Print out the bucket names
for bucket in s3.buckets.all():
    print(bucket.name)

The above code, when executed is generating an Authorization header. My use case requires manually generating the Authorization header using the boto3 library to ensure it matches the one generated by the above code. However, due to some misconfiguration, they are not matching.

I am seeking guidance on how to manually generate the Authorization header using the boto3 library. Here is my code to generate the Authorization header:

import boto3
from botocore.auth import SigV4Auth
from botocore.awsrequest import AWSRequest
from botocore.credentials import Credentials

headers = {
    'Host': 'hostname',
    'x-amz-date': '20240703'   
    }

# Initialize the credentials and request
credentials = Credentials('accesskey', 'secret=')
request = AWSRequest(method='GET', url='https://myendpoint/', headers=headers)

# Sign the request
SigV4Auth(credentials, 's3', 'us-east-1').add_auth(request)
print(request.headers)
Topics
AWS Well-Architected FrameworkSecurity, Identity, & Compliance
Tags
SecurityAWS Signer
Language
English
balajepalli
asked a month ago285 views
1 Answer
0

It would help a lot to see what error messages you are getting. My assumption is that somewhere in your code you're doing something like:

import urllib3
http = urllib3.PoolManager()
response = http.request('GET', request.url, headers={'X-Amz-Date':request.headers['X-Amz-Date'], 'Authorization':request.headers['Authorization'], 'x-amz-content-sha256':'<request hash goes here>'})

If so, what does response.data have in it? I note that your code is not complete - for example it doesn't calculate the x-amz-content-sha256 header which is necessary according to the documentation.

Incidentally, I did get your code working (sort of) by using the hash from a the debug output of the AWS CLI and putting that into the x-amz-content-sha256 header. You don't need to specify the headers at all as you have above - the SigV4Auth().add_auth() process does that for you.

Finally, there's a big question of "why" here. Is there something that the boto3 library doesn't do for you already that you need to sign "manually"?

profile pictureAWS
EXPERT
Brettski-AWS
answered a month ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago

Relevant content