"Credential should be scoped to a valid region" alexa top sites service from AWS-CodePudding

I am trying to reach alexa topsites service. Based on that i have copied the code from Alexa's documentation.

The code is below:

import sys, os, base64, datetime, hashlib, hmac 
import requests 



method = 'GET'
service = "AlexaTopSites"
host = "ats.amazonaws.com"
region = 'us-east-1'
endpoint = "ats.us-east-1.amazonaws.com"



request_parameters="Action=TopSites&Count=100&CountryCode=BR&ResponseGroup=Country&Start=301&Url=yahoo.com"




def sign(key, msg):
    return hmac.new(key, msg.encode('utf-8'), hashlib.sha256).digest()

def getSignatureKey(key, dateStamp, regionName, serviceName):
    kDate = sign(('AWS4'   key).encode('utf-8'), dateStamp)
    kRegion = sign(kDate, regionName)
    kService = sign(kRegion, serviceName)
    kSigning = sign(kService, 'aws4_request')
    return kSigning


access_key = AWS_ACCESS_KEY_ID
secret_key = AWS_SECRET_KEY



t = datetime.datetime.utcnow()
amzdate = t.strftime('%Y%m%dT%H%M%SZ')
datestamp = t.strftime('%Y%m%d') # Date w/o time, used in credential scope



canonical_uri = '/' 
canonical_querystring = request_parameters
canonical_headers = 'host:'   host   '\n'   'x-amz-date:'   amzdate   '\n'
signed_headers = 'host;x-amz-date'
payload_hash = hashlib.sha256(('').encode('utf-8')).hexdigest()
canonical_request = method   '\n'   canonical_uri   '\n'   canonical_querystring   '\n'   canonical_headers   '\n'   signed_headers   '\n'   payload_hash



algorithm = 'AWS4-HMAC-SHA256'
credential_scope = datestamp   '/'   region   '/'   service   '/'   'aws4_request'
string_to_sign = algorithm   '\n'    amzdate   '\n'    credential_scope   '\n'    hashlib.sha256(canonical_request.encode('utf-8')).hexdigest()


signing_key = getSignatureKey(secret_key, datestamp, region, service)


signature = hmac.new(signing_key, (string_to_sign).encode('utf-8'), hashlib.sha256).hexdigest()


authorization_header = algorithm   ' '   'Credential='   access_key   '/'   credential_scope   ', '    'SignedHeaders='   signed_headers   ', '   'Signature='   signature

headers = {'Authorization':authorization_header,"Content-Type":"application/xml",'X-Amz-Date':amzdate, "Accept":"application/xml"}


url="https://ats.amazonaws.com/api" "?" request_parameters

r = requests.get(url, headers=headers)
r.text

Error message is below

<?xml version="1.0" ?>\n<aws:TopSitesResponse xmlns:aws="http://ats.amazonaws.com/doc/2005-10-05">\n  <aws:Response xmlns:aws="http://ats.amazonaws.com/doc/2005-07-11">\n    <aws:OperationRequest>\n      <aws:RequestId></aws:RequestId>\n    </aws:OperationRequest>\n    <aws:TopSitesResult>\n      <aws:Alexa>\n        <aws:Request>\n          <aws:Errors>\n            <aws:Error>\n              <aws:ErrorCode><![CDATA["Credential should be scoped to a valid region, not \'us-east-1\'. "]]></aws:ErrorCode>\n            </aws:Error>\n          </aws:Errors>\n        </aws:Request>\n      </aws:Alexa>\n    </aws:TopSitesResult>\n    <aws:ResponseStatus xmlns:aws="http://alexa.amazonaws.com/doc/2005-10-05/">\n      <aws:StatusCode>Error</aws:StatusCode>\n    </aws:ResponseStatus>\n  </aws:Response>\n</aws:TopSitesResponse>

The exact error code is below

<aws:ErrorCode><![CDATA["Credential should be scoped to a valid region, not \'us-east-1\'. "]]>

Actually i've removed IAM user and recreated many times as per the aws documentation but no joy. I believe that the region is correct. Though i have tried many different aws regions it didn't work for me .

I played with the parameters ( service = "blablalba", host="blablalba", endpoint = "blalbalba"), error response is always the same regardless of what parameters you pass to the arguements , the error is always the same.

method = 'GET'
service = "AlexaTopSites"
host = "ats.amazonaws.com"
region = 'us-east-1'
endpoint = "ats.us-east-1.amazonaws.com"

What only changes in the error code is the region part. If you put region = "hohoho" , i get the error response as

"Credential should be scoped to a valid region, not \'hohoho\'. "

PS: I am subscribed to TopSites service from AWS market place.

CodePudding user response：

The endpoint URL needs to it's subdomain to match the region your credentials are located in. So if you have region = "us-east-1" you'll need to call ats.us-east-1.amazonaws.com as the base URL. If you need to change regions you can define the region variable and then use it to form the base endpoint variable url = f'https://ats.{region}.amazonaws.com' for ease of use.