I am using CreatePolicy API to create a policy with specific permissions. Initially passed json code as a value to query string parameter "PolicyDocument" but the request failed with code 400 Bad request. While testing through postman found that we have to urlencode given policy document. This solution worked fine on postman but not on my HTTP Client. Error - "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details". Code is working fine for all other APIs even for IAM Get request, but failing when policy doc is being sent as a query string or as a body. Possibly there is something wrong while calculating the signature for IAM api with url encoded policy doc.
Ref - https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html
Tried passing policy doc as a request body and header - "Content-Type:application/x-www-form-urlencoded". (body is JSON converted to string)
Tried passing policy doc as a query parameter which is url-encoded
Note - Both these methods worked fine when testing them through postman
Unfortunately i cannot use AWS SDK and i must use REST API AWS services(i am working with Flutter WEB).
So i start to do research on aws docs and this is what i did:
Create bucket.
make all permission to be public(for test only)
open access point
Then at the postman i am using at "Auth" aws signature and added current keys,
except session token(my bucket is open and i understood that i dont need it, if i am mistaking pls correct me).
when i am sending the request i am getting an error:
Missing required header for this request: x-amz-content-sha256
Here is attachment images:
AWS Signautre
Body Request
Error message
Just ran into this issue too - the Service Name must be 's3' vs 'S3'.
advanced authorization settings
According to the AWS documentation, you need to send the x-amz-content-sha256 header in the request:
The x-amz-content-sha256 header is required for all AWS Signature Version 4 requests. It provides a hash of the request payload. If there is no payload, you must provide the hash of an empty string.
Seems like Postman is not adding it for some reason. You should check the Headers and add manually then.
try replacing S3 with s3 for the service name.
I too faced this issue and after adding session token parameter it got resolved. Postman has the provision to generate the below parameters,
X-Amz-Content-Sha256
Authorization
x-amz-security-token
X-Amz-Date
I am trying to create a queue in SQS by hitting at their api using Postman. I have already created IAM account and generated the key corresponding to the user. Still, I am getting the access denied error. following is the post request that I am trying to hit
https://sqs.us-east-2.amazonaws.com/123456789012/MyQueue/
?Action=CreateQueue
&QueueName=MyQueue
&Attribute.1.Name=DelaySeconds
&Attribute.1.Value=45
&Expires=2020-12-20T22%3A52%3A43PST
&Version=2012-11-05
&AUTHPARAMS
I have entered a proper combination of accessKey and secretKey and all other required field. I am getting the error
<AccessDeniedException>
<Message>Unable to determine service/operation name to be
authorized</Message>
</AccessDeniedException>
Their is no way to make the queue public on SQS. Same response is coming on trying any different method. Any leads will be helpful. Thanks in advance
I think you should remove "MyQueue/" from URL. The right code should like the following:
https://sqs.us-east-2.amazonaws.com/
?Action=CreateQueue
&QueueName=MyQueue
&Attribute.1.Name=VisibilityTimeout
&Attribute.1.Value=40
&Expires=2020-10-18T22%3A52%3A43PST
&Version=2012-11-05
&AUTHPARAMS
For more info:
https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_CreateQueue.html
I have created an API Key and added it to my functions. I have then deployed the api and tested it but still get:
"message": "Forbidden"
How do I pass the api key with my JSON request as I have been using "x-api-key": "theKey"?
The x-api-key parameter is passed as a HTTP header parameter (i.e. it is not added to the JSON body). How you pass HTTP headers depend on the HTTP client you use.
For example, if you use curl and assuming that you POST the JSON payload, a request would look something like (where you replace [api-id] with the actual id and [region] with the AWS region of your API):
$ curl -X POST -H "x-api-key: theKey" -H "Content-Type: application/json" -d '{"key":"val"}' https://[api-id].execute-api.[region].amazonaws.com
I had to add an API Usage plan, and then link the plan to the API stage.
Seems like this is the only way to link the key to the API, not sure if this is a recent change on AWS.
If you set 'API Key Required' option to true, please check below.
you have to pass 'x-api-key' HTTP Header Parameter to API Gateway.
The API Key had to be created.
In addition, you need to check a Usage Plan for the API Key on API Gateway Console.
If you set 'API' key required to true, you need to pass the api key as header.
API Key is passed as header field 'x-api-key'. Even after adding this field in header, this issue may occur. In that case, please validate below points
Do you have a Usage Plan? if not need to create one.
Link you API with Usage Plan. For that add a stage, it will link your API
Do you have API Key? if not you need to create an API Key and enable it.
Add the Usage Plan which is linked with your API to this API Key. For that, add Usage Plan.
I hope you are not missing to link the API key with the API
I was able to get a successful response from Lambda using below configuration in Postman native app -
Under authorization tab (For some reason this didn't work when i passed the same parameters under header)
Key : x-api-key
Value : your-api-key-value
Add to : Header
I don't have enough reputation to set this as a comment, But I was finally able to find the document specifying that 'x-api-key' belongs in the header for API Gateway calls that come from outside clients (like postman, swagger, etc.) in the AWS Documentation.
The relevant part:
To use header-sourced API keys:
Create an API with desired API methods. And deploy the API to a
stage.
Create a new usage plan or choose an existing one. Add the deployed
API stage to the usage plan. Attach an API key to the usage plan or
choose an existing API key in the plan. Note the chosen API key
value.
Set up API methods to require an API key.
Redeploy the API to the same stage. If you deploy the API to a new
stage, make sure to update the usage plan to attach the new API
stage.
The client can now call the API methods while supplying the x-api-key
header with the chosen API key as the header value.
Choose an API key source
For Private API Gateways accessed through public DNS, we need to pass additional header of 'x-apigw-api-id' with the api id along with 'x-api-key' if configured.
curl -v https://{vpce-id}.execute-api.{region}.vpce.amazonaws.com/test -H 'x-apigw-api-id:{api-id}'
Its documented below,
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-private-api-test-invoke-url.html#w20aac13c16c28c11
Here a good resource explaining different reasons why we could be getting a Forbidden. The two most important are the request URL and the x-api-key header:
https://{api_id}.execute-api.{region}.amazonaws.com/{stage_name}/{resource_name}
Missing stage name will give you 403 for ex. Maybe for security reasons the response is not revealing an issue with the stage name, and thus you get a generic Forbidden.
I faced the same problem today. I had already mapped the API key to the usage plan (which was linked to the api gateway stage). I was also passing the api key in header correctly.
When none of these solutions work, do remember to check if your API is linked to WAF policy with only a certain ip-addresses permitted. Apparently, my IP address had changed today. So, WAF was blocking me. That can be an additional reason to get {"message": "Forbidden"} error.
I am using amazon's itemlookup api to get the details of an book provided the ISBN has been given to it.
I have made an request to Amazon aws with URL as:
http://webservices.amazon.com/onca/xml?AWSAccessKeyId=access_key&Keywords=0439708184&Operation=ItemSearch&ResponseGroup=ItemAttributes%2COffers&SearchIndex=Books&Service=AWSECommerceService&Timestamp=2015-03-23T16%3A04%3A21Z&Version=2009-01-06&Signature=hashed_signature
And all I get from above request is :
<Message>Your request is missing required parameters. Required parameters include AssociateTag.</Message>
Later on, I have generated an AssociateTag for myself and passed it to the the query string but that did not help either. Instead, it gave me another message that "Signature does not match."
<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.</Message>
After adding the associate tag, my query string looks like as:
http://webservices.amazon.com/onca/xml?AWSAccessKeyId=access_key&Keywords=0439708184&Operation=ItemSearch&ResponseGroup=ItemAttributes%2COffers&SearchIndex=Books&Service=AWSECommerceService&Timestamp=2015-03-23T16%3A04%3A21Z&Version=2009-01-06&AssociateTag=hemant-20&Signature=hashed_signature
Am I missing anything basic here?