SignatureDoesNotMatch Error in AWS V4 Signed Request - amazon-web-services

I have generated the presigned url for get request using the same algoritthm mentioned in the documentation of AWS.
This is working.
But when I Post/Put the data the signature mismatch error is present.
Below is a sample curl :-
curl --location --request POST 'https://<bucket_name>.s3.ap-south-1.amazonaws.com/testFolder/testing1.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=<access_key_id>%2F20211006%2Fap-south-1%2Fs3%2Faws4_request&X-Amz-Date=20211006T113405Z&X-Amz-Expires=3000&X-Amz-SignedHeaders=content-type%3Bhost%3Bx-amz-content-sha256%3Bx-amz-date&X-Amz-Signature='
--header 'x-amz-content-sha256: UNSIGNED-PAYLOAD'
--header 'x-amz-date: 20211006T113405Z'
--header 'Content-Type: text/plain'

Related

Getting {"error": "invalid_grant" } in Django OAUTH when trying to generate a token using AUTHORIZATION CODE FLOW

I'm trying to access token using authorization code flow. I'm using authorization_code as the grant type.
Following documentation at Django OAuth
Here's my code that's making the post request:
curl --location --request POST 'http://127.0.0.1:8000/o/token/' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Cache-Control: no-cache' \
--header 'Accept: application/json' \
--data-urlencode 'client_id=ngta3GGa3jP6Rmv5Tspj97Bk4aiitHgv1EQilCDS' \
--data-urlencode 'client_secret=zLwMyuXg7WCSFwUDYBxFP3QxHh5mF6xM2hBsKyvRbypac5lV7fl2NoFeeDG3afWWxLedA7qtzD2Mvf68qyBra3A4iUXXlDXJO4LvxuZv4UULU6NLWlObpD0ylQSXbwZD' \
--data-urlencode 'code=q4NfBMbyTNbcIQZ4j7SfgMWL898psv' \
--data-urlencode 'redirect_uri=http://localhost:8000/no/callback/' \
--data-urlencode 'code_verifier=b'\''SlJDWEgyRzNYMks0RTVQVDlRVkFaOFdDUkxHV1A3QURMTjNITFdaMTBLU0tWQkkzMUVWVEZFU0k='\''' \
--data-urlencode 'grant_type=authorization_code'
I'm expecting to get an access token when I make the post request, but I'm getting this error:
{
"error": "invalid_grant"
}
The grant is valid i.e not expired. Server time is in sync with machine time. Expiry time is 5 minutes but doesnt work even before it's expired.

Error while creating service account in GCP via SDK

I have been using Google's SDKs to perform API calls such as creating a service account, creating service account keys, get the storage buckets, etc.. Recently I'm unable to create a service account due to the below error.
Request:
curl --location --request POST 'https://iam.googleapis.com/v1/projects/myproject/serviceAccounts' \
--header 'Authorization: Bearer <<token>>' \
--header 'Accept-Encoding: gzip' \
--header 'User-Agent: my test Google-API-Java-Client'
c.g.a.c.g.j.GoogleJsonResponseException: 404 Not Found
{
"code" : 404,
"errors" : [ {
"domain" : "global",
"message" : "Not found; Gaia id not found for email xxxxx#myproject.iam.gserviceaccount.com",
"reason" : "notFound"
} ],
"message" : "Not found; Gaia id not found for email xxxxx#myproject.iam.gserviceaccount.com",
"status" : "NOT_FOUND"
}
Why would I require Gaia id while creating service account? Where can I find this id? Any help is appreciated!!
Did you ever remove the service account 'xxxxx#myproject.iam.gserviceaccount.com' which should be the default service account for IAM API, you can recover it within the 30days after the deletion. or just disable it and re-enable it , will recreate the default service account for you. Let me know if it resolved the issue.
It seems that your request needs to have a body
The request body contains data with the following structure:
{
"accountId": string,
"serviceAccount": {
object (ServiceAccount)
}
}
And it is missing in your command.
You can obtain more information in this documentation.
In your case it should be something like:
curl --request POST \
'https://iam.googleapis.com/v1/projects/my-little-project/serviceAccounts?key=[YOUR_API_KEY]' \
--header 'Authorization: Bearer [YOUR_ACCESS_TOKEN]' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--data '{"accountId":"sa-test","serviceAccount":{"description":"sa-description-test","displayName":"sa-display-testonly"}}' \
--compressed
You can test this API directly in the following link
Also, I have found a similar error, in this stackoverflow case according to this answer this error could be generated if the APIs are not enabled.

Add new version of secret via REST

I would like to add a new version of a secret via GCP REST API.
Sadly the docs are pretty bland for REST and not even the URLs are spelled out.
I get a response for:
curl -H "authorization: Bearer $(gcloud auth print-access-token)" 'https://secretmanager.googleapis.com/v1beta1/projects/myproject/secrets/foo'
but only 404 for:
curl -H "authorization: Bearer $(gcloud auth print-access-token)" -H 'content-type: application/json' -d '{"payload":{"data":"foo"}}' 'https://secretmanager.googleapis.com/v1beta1/projects/myproject/secrets/foo/addVersion'
Also tried other permutations.
Can anyone tell me how to construct the REST call to add a new version?
Under the Adding a secret version section of the documentation, you can click on the "API" tab and see:
$ curl "https://secretmanager.googleapis.com/v1/projects/PROJECT_ID/secrets/SECRET_ID:addVersion" \
--request "POST" \
--header "authorization: Bearer $(gcloud auth print-access-token)" \
--header "content-type: application/json" \
--header "x-goog-user-project: project-id" \
--data "{\"payload\": {\"data\": \"${SECRET_DATA}\"}}"
Where:
PROJECT_ID is your GCP project ID
SECRET_ID is the name of the secret for which you want to add a version
SECRET_DATA is the base64-encoded secret.
If you pop out the API Explorer the start showing you the actual URL. So it is:
https://secretmanager.googleapis.com/v1beta1/projects/myproject/secrets/foo:addVersion

Token Introspect API not working after changing the regex restriction for username in WSO2 IS 5.9.0?

I am using WSO2 Identity server and using email as username from following documentation-
https://is.docs.wso2.com/en/5.9.0/learn/using-email-address-as-the-username/
Then while performing a sign-up ie create users using SCIM2 APIs with email more than 30 characters i was getting the following error-
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:Error"
],
"scimType": "invalidValue",
"detail": "31301 - Username test1233.admin#motioneducation.com is not valid. User name must be a non null string with following format, ^[\\S]{3,30}$",
"status": "400"
}
Then to fix this i added this regex expression in deployment.toml file in user store-
[user_store]
username_java_script_regex = '^[a-zA-Z0-9.-]+#[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}$'
username_java_regex='^[a-zA-Z0-9.-]+#[a-zA-Z0-9.-]+\.[a-zA-Z]{2,4}'
This change fixed my sign-up problem but the token generated by performing login using wso2 /oauth2/token API is giving 401 unauthorized in /oauth2/introspect API?
Please Help........?
Since you have enabled email as username, then you need to use the email username in the authorization header also. A sample curl command is given below.
curl --location --request POST
'https://{host_name}:{port}/oauth2/introspect'
--header 'Content-Type: application/x-www-form-urlencoded'
--header 'Authorization: Basic {base64encode(emailusername:password)}'
--data-urlencode 'token={access_token}'
Sample request
curl --location --request POST
'https://localhost:9443/oauth2/introspect'
--header 'Content-Type: application/x-www-form-urlencoded'
--header 'Authorization: Basic YWRtaW5Ad3NvMi5jb206YWRtaW4='
--data-urlencode 'token=47f65812-c5fb-3f90-b5c0-3bbc3603578f'
401 unauthorized error comes only if you are sending invalid credentials. So please check whether you are sending valid emailusername and valid password in authorization header

GCP IoTCore won't parse payload using Gateways and HTTP bridge

Steps taken so far
Create a new key pair and use it for the gateway that is about to be created
Create a gateway, let's call it 'my_first_gateway'
Create a new device, let's call it 'gw_device_1'
Associate gw_device_1 with my_first_gateway
Works fine so far.
Now I want to use the HTTP bridge to send gw_device_1's state data to IoTCore via my gateway using my_first_gateway's private key, following this tutorial: https://cloud.google.com/iot/docs/how-tos/gateways/http-bridge#setting_device_state_through_the_gateway
Observation1: the URL in this tutorial seems malformatted, there is a missing double quote at the end of 'delegated_device_id':
curl -X POST -H 'authorization: Bearer GATEWAY_JWT' -H 'content-type: application/json' --data '{"binary_data": "DATA", "gateway_info": {"delegated_device_id: "device-id"}}' -H 'cache-control: no-cache' 'https://cloudiotdevice.googleapis.com/v1/projects/{project-id}/locations/{cloud-region}/registries/{registry-id}/devices/{gateway-id}:setState'
When I am now replacing all placeholders and replace "DATA" with say "ewogICJhUHJvcCI6ICJhVmFsdWUiCn0" I execute the following curl (the token is obviously not real):
curl -X POST -H 'authorization: Bearer GW_JWT_TOKEN' -H 'content-type: application/json' --data '{"binary_data": "ewogICJhUHJvcCI6ICJhVmFsdWUiCn0=", "gateway_info": {"delegated_device_id": "gw_device_1"}}' -H 'cache-control: no-cache' 'https://cloudiotdevice.googleapis.com/v1/projects/my_project_id/locations/europe-west1/registries/my_registry/devices/my_first_gateway:setState'
I receive this error:
{
"error": {
"code": 400,
"message": "Invalid JSON payload received. Unknown name \"binary_data\": Cannot find field.",
"status": "INVALID_ARGUMENT",
"details": [
{
"#type": "type.googleapis.com/google.rpc.BadRequest",
"fieldViolations": [
{
"description": "Invalid JSON payload received. Unknown name \"binary_data\": Cannot find field."
}
]
}
]
}
}
The fun thing is: There is another 'endpoint' that is used to publish events to IoTCore. It has the same signature but instead of 'setState' it ends with 'publishEvent' (see: https://cloud.google.com/iot/docs/how-tos/gateways/http-bridge#publishing_the_devices_telemetry_events_through_the_gateway).
Executing the exact same request with this method works just fine:
curl -X POST -H 'authorization: Bearer GW_JWT_TOKEN' -H 'content-type: application/json' --data '{"binary_data": "ewogICJhUHJvcCI6ICJhVmFsdWUiCn0=", "gateway_info": {"delegated_device_id": "gw_device_1"}}' -H 'cache-control: no-cache' 'https://cloudiotdevice.googleapis.com/v1/projects/my_project_id/locations/europe-west1/registries/my_registry/devices/my_first_gateway:publishEvent'
Am I missing something?
Any help appreciated.
Actually, the curl that google provides is not correct.
The payload needs to be adapted a bit, the binary_data string needs to be wrapped in an object called 'state'
{ "state": { "binary_data": "ewogICJhUHJvcCI6ICJhVmFsdWUiCn0=" }, "gateway_info": {"delegated_device_id": "gw_device_1"}}
The curl then works as expected.