This is my exact request: minus credentials (throw away key and cert)
POST / HTTP/1.1
Host: iam.amazonaws.com
cache-control: no-cache
connection: close
content-type: application/x-www-form-urlencoded; charset=utf-8
Accept: */*
User-Agent: Falcraft CMF
AWSAccessKeyId=XXX&Action=UploadServerCertificate&CertificateBody=-----BEGIN CERTIFICATE-----
MIIBoDCCAQugAwIBAgIBADALBgkqhkiG9w0BAQUwFzEVMBMGA1UECgwMRmFsY3Jh
ZnQgQ01GMCIYDzIwMTQwMzA4MDMxMzU1WhgPMjAxNTAzMDgwMzEzNTVaMBcxFTAT
BgNVBAoMDEZhbGNyYWZ0IENNRjCBnTALBgkqhkiG9w0BAQEDgY0AMIGJAoGBAMVc
9fFg0hT12K9pVSjAAoRPXzMDgybMWFiRtEVBAVy75i80p9B0A2K+si1T05ou2rb6
CHrDjp3XF/RuXhhPsXletJDpCcSlShKDPVFWlIa7AlzrFn/RuZN+sjzzhiO+TWJD
YS5oO8KGLgFehnaEDzUTlCVoxCtXiDSomcP5zgVlAgMBAAEwCwYJKoZIhvcNAQEF
A4GBAJ/YWAwMv0GO7BzAkBQkHg3R5PMwUqep2qKelI6gjfHD8gMO5D6grswuCm9o
DxN3ztilNWMU6C8P0m57g31kk60h62Som8vOHJp55JLqNaWrKUBd1zZo9Fy4jGxj
a7Ec1drUZWuivzzy0qPATGzOISaAPcGkajPX/h46cvmotav7
-----END CERTIFICATE-----&Path=/&PrivateKey=-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDFXPXxYNIU9divaVUowAKET18zA4MmzFhYkbRFQQFcu+YvNKfQ
dANivrItU9OaLtq2+gh6w46d1xf0bl4YT7F5XrSQ6QnEpUoSgz1RVpSGuwJc6xZ/
0bmTfrI884Yjvk1iQ2EuaDvChi4BXoZ2hA81E5QlaMQrV4g0qJnD+c4FZQIDAQAB
AoGAIfjzeN4yq1r6No+KEh6jEEVdXLmhDL+mAXDrN/SNmHnbkIqezFn77zZmEzlX
tjWUfmShqwgYd4D75Z5N4h9tq+nza3WlOeQBO8f+lSatO1D5YT8TW6sXbTsjDxPx
zjJr3QS7/wWpzp1MDn+oBUlju+KT6RWExWrx2CSSbf1Td+0CQQDM7fzdvIIXbmZY
v94NZqZJHv+cyspD0BOBT5sWjf1+9CND4SmFNS4dSIQsncsQR1jJ40HJesYQRXN/
dGsFMNkzAkEA9ow/dzyowh4IIriEWFompwT3xFTE/4Lf8h96jwtMkiGjYOAhK4im
W4mnrsyq92ZXo9rhALYNH1Z5CGjYszmXBwJBAMIvfV5L42X6mgbdALfoHgfJ1OMp
EhLCF8l/unDb6WqkQspukN6F7wWWkpCIkUQCp3Le4pbdvNLsTK5ojYSkrhsCQGQc
EI0nCVNBBIasq7iAap946e5DiXZCuxJCa+53ZREVLZThjTZzFzGmFHtqyaUJXl6/
OouiYHOwFhcvE4a6xLMCQQCpUeCFtsYybHn0S5CCGUXOExtbnSjjMrSdNKc7f3wj
G427Mw18d+YurVrgq7qDH58VX2z+j9ITJPlWAtIetMwG
-----END RSA PRIVATE KEY----&ServerCertificateName=testCertificate1&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=2014-03-08T03:13:56.000Z&Version=2010-05-08&Signature=XXXX
Here is my exact reply:
HTTP/1.1 302 Moved Temporarily
x-amzn-RequestId: b036aa40-a66f-11e3-9c2e-71bc7ad65b2e
Location: http://aws.amazon.com/iam
Content-Length: 0
Date: Sat, 08 Mar 2014 03:13:57 GMT
I've looked quite a bit at my code, request, and google, but haven't found anything substantial to this problem.
Here's the answer:
Make sure you put a content-length header in your POST request (yeah, I know, overlooked it)
The content-length header must be the length of your request urlencoded!
urlencode your request (body) as well.
Then you should get a 200.
Hope this helps someone!
Related
I'd like to ask if there's any error in my canonical request, im trying to create one to the AWS Secrets Manager taking the sample request by example.
Doc:https://docs.aws.amazon.com/pt_br/AmazonS3/latest/API/sig-v4-header-based-auth.html
Sample Request:
`POST / HTTP/1.1
Host: secretsmanager.region.domain
Accept-Encoding: identity
X-Amz-Target: secretsmanager.GetSecretValue
Content-Type: application/x-amz-json-1.1
User-Agent:
X-Amz-Date:
Authorization: AWS4-HMAC-SHA256 Credential=,SignedHeaders=, Signature=
Content-Length:
{
"SecretId": "MyTestDatabaseSecret",
}`
My Canonical Request:
`POST
/GetSecretValue
accept-encoding:identity
content-type:application/x-amz-json-1.1
host:secretsmanager.sa-east-1.amazonaws.com
x-amz-content-sha256:beaead3198f7da1e70d03ab969765e0821b24fc913697e929e726aeaebf0eba3
x-amz-date:20230111T145646Z
x-amz-target:secretsmanager.getsecretvalue
accept-encoding;content-type;host;x-amz-content-sha256;x-amz-date;x-amz-target
beaead3198f7da1e70d03ab969765e0821b24fc913697e929e726aeaebf0eba3`
I did the changes that the documentation was asking, but when i try to recreate the signature by the postman, well, It gets wrong.
I need to go through the AWS ApiGteway. From the gateway API the request is routed to EC2. The direct request to Ec2 works. This is my request:
POST /TEST/resource HTTP/1.1
Host: xxxxxxxx.execute-api.yyyyyyyyyy.amazonaws.com
Content-Length: 358
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
----WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="metadata"
{
"mimeType":"application/video",
"extension":"mp3",
"name":"MP3File.mp3"
}
----WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="file"; filename="MP3File.mp3"
Content-Type: audio/mpeg
(data)
----WebKitFormBoundary7MA4YWxkTrZu0gW
My request is of type multi and consists of a file (MP3) and a metadata (string which represents a json payload).
I configured the APIGateway settings as follows:
This is the error I get on POSTMAN:
What am I doing wrong? Thanks for the support
I am using the Go SDK to connect to the Kinesis Video Streams service. When issuing a GetMedia request, I'm receiving a 403 response with the following body:
<AccessDeniedException>
<Message>Unable to determine service/operation name to be authorized</Message>
</AccessDeniedException>
I am using LogLevel LogDebugWithHTTPBody to see this since the SDK is expecting JSON and receives XML, causing a SerializationError.
I am using Go 1.9.2 and have attempted this operation with both v1 and v2 of aws-sdk-go with the same result.
Here is my request:
POST /getMedia HTTP/1.1
Host: kinesisvideo.us-west-2.amazonaws.com
User-Agent: aws-sdk-go/2.0.0-preview.1 (go1.9.2; darwin; amd64)
Content-Length: 141
Authorization: AWS4-HMAC-SHA256 Credential=AKIAXXXXXXXXXXXXXX/20180112/us-west-2/kinesisvideo/aws4_request, SignedHeaders=content-length;host;x-amz-date, Signature=60c625357b67c64caed32f5a0924882f26ffc776211801e94e7ecae84e7213c2
X-Amz-Date: 20180112T012511Z
Accept-Encoding: gzip
{"StartSelector":{"StartSelectorType":"NOW"},"StreamARN":"arn:aws:kinesisvideo:us-west-2:XXXXXXXXXXXXX:stream/StreamTest/XXXXXXXXXXXXX"}
Response:
HTTP/1.1 403 Forbidden
Content-Length: 130
Date: Fri, 12 Jan 2018 01:25:11 GMT
X-Amzn-Requestid: 6f1701aa-f737-11e7-bcd5-c70a68e72add
<AccessDeniedException>
<Message>Unable to determine service/operation name to be authorized</Message>
</AccessDeniedException>
Any help would be greatly appreciated.
To follow up, I have tried to issue the HTTP request above directly with the Content-Type: application/json header added, and the response is now:
{
"Output": {
"__type": "com.amazon.coral.service#UnknownOperationException",
"message": null
},
"Version": "1.0"
}
I have found the solution. From the docs,
"You must first call the GetDataEndpoint API to get an endpoint to which you can then send the GetMedia requests."
1.1 - API Manager 2.1.0
If I sent a POST request through a simple mediation (pass through) when the binary relay was enabled, the response payload generated by ESB has been wrapped inside a binary element as follows..
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST
Access-Control-Allow-Headers: authorization,Access-Control-Allow-Origin,Content-Type,SOAPAction
Content-Type: text/xml; charset=UTF-8
Date: Tue, 16 Jan 2018 14:53:00 GMT
Transfer-Encoding: chunked
Connection: close
<?xml version='1.0' encoding='UTF-8'?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Body><ns:binary xmlns:ns="http://ws.apache.org/commons/ns/payload">DCAAAAApACkAAAJxdXVpZDo3MTRDNkM0MC00NT.......</ns:binary></soapenv:Body></soapenv:Envelope>
In ESB 5.0.0 and API manager 2.0.0 all works well.
I'm trying to use Google's Admin SDK to create an orgunit using a shell script. My script is as follows:
# Obtain a token we can use to modify the organisation
auth_header=`oauth2l header --json "..." "admin.directory.orgunit"`
customer_id=...
curl -v -H "Content-Type: application/json" -X POST \
--data-binary "#google-orgunits/technical.json" \
--header "$auth_header" \
"https://www.googleapis.com/admin/directory/v1/customer/$customer_id/orgunits"
This produces the output:
* Trying 216.58.196.138...
* Connected to www.googleapis.com (216.58.196.138) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 704 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: *.googleapis.com (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: C=US,ST=California,L=Mountain View,O=Google Inc,CN=*.googleapis.com
* start date: Wed, 05 Apr 2017 17:01:30 GMT
* expire date: Wed, 28 Jun 2017 16:56:00 GMT
* issuer: C=US,O=Google Inc,CN=Google Internet Authority G2
* compression: NULL
* ALPN, server accepted to use http/1.1
> POST /admin/directory/v1/customer/.../orgunits HTTP/1.1
> Host: www.googleapis.com
> User-Agent: curl/7.47.0
> Accept: */*
> Content-Type: application/json
> Authorization: Bearer ...
> Content-Length: 157
>
* upload completely sent off: 157 out of 157 bytes
< HTTP/1.1 401 Unauthorized
< Vary: X-Origin
< WWW-Authenticate: Bearer realm="https://accounts.google.com/", error=invalid_token
< Content-Type: application/json; charset=UTF-8
< Date: Sat, 15 Apr 2017 06:26:27 GMT
< Expires: Sat, 15 Apr 2017 06:26:27 GMT
< Cache-Control: private, max-age=0
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< Server: GSE
< Alt-Svc: quic=":443"; ma=2592000; v="37,36,35"
< Accept-Ranges: none
< Vary: Origin,Accept-Encoding
< Transfer-Encoding: chunked
<
{
"error": {
"errors": [
{
"domain": "global",
"reason": "required",
"message": "Login Required",
"locationType": "header",
"location": "Authorization"
}
],
"code": 401,
"message": "Login Required"
}
}
There must be some problem here: I appear to be obtaining a valid token, (looks like ya29.ElouBGKFig-nXZ9uykyGoDr0hxAxG5PMJTUh3VmtAtj2SAdYEbH2Coumjp5XoaF232oVx3--2EpTyNi5NgFBNrLINJij9tGL3-64MshEXjHhvkH-1NESoxPeVAU). I've followed all of the instructions here, enabled API access, authorized my API client, everything; but still, not working. Where have I gone wrong?
Try checking the documentation about Directory API: Authorize Requests
Every request your application sends to the Directory API must include an authorization token. The token also identifies your application to Google.
Here's the OAuth 2.0 scope information for the Directory API:
https://www.googleapis.com/auth/admin.directory.orgunit - Global scope for access to all organization unit operations.
https://www.googleapis.com/auth/admin.directory.orgunit.readonly -
Scope for only retrieving organization units.
You can check the OAuth 2.0 Playground, an interactive demonstration of using OAuth 2.0 with Google (including the option to use your own client credentials). Also there are many quickstart that can help you on how to properly authorize a request for Admin SDK.
Hope this helps.