Home > Software engineering >  How to sign POST request with AWS Signature Version 4
How to sign POST request with AWS Signature Version 4

Time:08-07

For most of the code, I followed along with this python example provided by AWS, making the necessary changes for JS/node.

import axios from 'axios'
import {createHash, createHmac} from 'crypto'
import moment from 'moment'    
    
async function send() {
    
    const method = 'POST';
    const service = 'execute-api';
    const host = 'fjakldfda.execute-api.us-east-2.amazonaws.com';
    const region = 'us-east-2';

    const base = "https://"

    // POST requests use a content type header. For DynamoDB,
    // the content is JSON.
    const content_type = 'application/json';

    // DynamoDB requires an x-amz-target header that has this format:
    //     DynamoDB_<API version>.<operationName>
    //##...but I don't! Blank this out. 
    const amz_target = '';

    // Request parameters for CreateTable--passed in a JSON block.
    var request_parameters = `{"date":"today","content":"hello"}`

    // Key derivation functions. See:
    // http://docs.aws.amazon.com/general/latest/gr/signature-v4-examples.html//signature-v4-examples-python
    function sign(key, msg) {
        return createHmac('sha256', key).update(msg).digest('utf-8')
    }

    function getSignatureKey(key, date_stamp, regionName, serviceName) {
        var kDate = sign(('AWS4'   key), date_stamp)
        var kRegion = sign(kDate, regionName)
        var kService = sign(kRegion, serviceName)
        var kSigning = sign(kService, 'aws4_request')
        return kSigning
    }

    // Read AWS access key from env. variables or configuration file. Best practice is NOT
    // to embed credentials in code.
    const access_key = "<CRED>"
    const secret_key = "<CRED>"

    // Create a date for headers and the credential string
    const amz_date = moment().utc().format("yyyyMMDDThhmmss")   "Z"
    const date_stamp =  moment().utc().format("yyyyMMDD")

    // ************* TASK 1: CREATE A CANONICAL REQUEST *************
    // http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html

    // Step 1 is to define the verb (GET, POST, etc.)--already done.

    // Step 2: Create canonical URI--the part of the URI from domain to query 
    // string (use '/' if no path)
    const canonical_uri = '/prod/events/add-event'

    //// Step 3: Create the canonical query string. In this example, request
    // parameters are passed in the body of the request and the query string
    // is blank.
    const canonical_querystring = ''
    
    //## I am doing step 6 first so that I can include the payload hash in the cannonical header, per https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html
    // Step 6: Create payload hash. In this example, the payload (body of
    // the request) contains the request parameters.
    const payload_hash = createHash('sha256').update(request_parameters).digest('hex');

    // Step 4: Create the canonical headers. Header names must be trimmed
    // and lowercase, and sorted in code point order from low to high.
    // Note that there is a trailing \n.
    const canonical_headers = 'host:'   host   '\n'   'x-amz-content-sha256:'   payload_hash   '\n'   'x-amz-date:'   amz_date   '\n'
    
    // Step 5: Create the list of signed headers. This lists the headers
    // in the canonical_headers list, delimited with ";" and in alpha order.
    // Note: The request can include any headers; canonical_headers and
    // signed_headers include those that you want to be included in the
    // hash of the request. "Host" and "x-amz-date" are always required.
    const signed_headers = 'host;x-amz-content-sha256;x-amz-date'

    // Step 7: Combine elements to create canonical request
    const canonical_request = method   '\n'   canonical_uri   '\n'   canonical_querystring   '\n'   canonical_headers   '\n'   signed_headers   '\n'   payload_hash

    // ************* TASK 2: CREATE THE STRING TO SIGN*************
    // Match the algorithm to the hashing algorithm you use, either SHA-1 or
    // SHA-256 (recommended)
    const algorithm = 'AWS4-HMAC-SHA256'
    const credential_scope = date_stamp   '/'   region   '/'   service   '/'   'aws4_request'
    const string_to_sign = algorithm   '\n'    amz_date   '\n'    credential_scope   '\n'    createHash('sha256').update(canonical_request).digest("utf-8")

    // ************* TASK 3: CALCULATE THE SIGNATURE *************
    // Create the signing key using the function defined above.
    const signing_key = getSignatureKey(secret_key, date_stamp, region, service)

    // Sign the string_to_sign using the signing_key
    const signature = ""   createHmac('sha256', signing_key).update(string_to_sign).digest('hex');

    // ************* TASK 4: ADD SIGNING INFORMATION TO THE REQUEST *************
    // Put the signature information in a header named Authorization.
    const authorization_header = algorithm   ' '   'Credential='   access_key   '/'   credential_scope   ', '    'SignedHeaders='   signed_headers   ', '   'Signature='   signature

    // For DynamoDB, the request can include any headers, but MUST include "host", "x-amz-date",
    // "x-amz-target", "content-type", and "Authorization". Except for the authorization
    // header, the headers must be included in the canonical_headers and signed_headers values, as
    // noted earlier. Order here is not significant.
    const headers = {
        'X-Amz-Content-Sha256':payload_hash, 
        'X-Amz-Date':amz_date,
        'Authorization':authorization_header,
        'Content-Type':content_type
    }

    // ************* SEND THE REQUEST *************
    var response = await axios({
        method: method,
        baseURL: base   host, 
        url: canonical_uri,
        data:request_parameters,
        headers: headers,
    });
    console.log(response)
}

However, in the browser, this method fails with 403: MissingAuthenticationToken. Here is what the request looks like:

POST https://fjakldfda.execute-api.us-east-2.amazonaws.com/prod/events/add-event

HEADERS:
  Host: fjakldfda.execute-api.us-east-2.amazonaws.com
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
  Accept: application/json, text/plain, */*
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate, br
  Content-Type: application/json
  X-Amz-Content-Sha256: <HASH>
  X-Amz-Date: 20220805T035948Z
  Authorization: AWS4-HMAC-SHA256 Credential=<ACCESS_KEY>/20220805/us-east-2/execute-api/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=<SIGNATURE>
  Content-Length: 34
  Origin: http://localhost:3000
  Connection: keep-alive
  Referer: http://localhost:3000/
  Sec-Fetch-Dest: empty
  Sec-Fetch-Mode: cors
  Sec-Fetch-Site: cross-site
DATA:
  {
      "date":"today",
      "content":"hello"
  }'

I can get the request to work in postman, however. Here is the cURL:

curl --location --request POST 'https://fjakldfda.execute-api.us-east-2.amazonaws.com/prod/events/add-event' \
--header 'X-Amz-Content-Sha256: <HASH>' \
--header 'X-Amz-Date: 20220805T035948Z' \
--header 'Authorization: AWS4-HMAC-SHA256 Credential=<ACCESS_KEY>/20220805/us-east-2/execute-api/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=<SIGNATURE>' \
--header 'Content-Type: application/json' \
--data-raw '{
    "date":"today",
    "content":"hello"
}'

All of the headers match, except for the hashes, so I am forced to assume that there is an error in the way I hash/encode the signed headers.

TL;DR How do you correctly hash/sign a post request with AWS4?

CodePudding user response:

Finally got it. I switched to using crypto-js and it worked.

import moment from 'moment'
import crypto from 'crypto-js'
import axios, { CancelToken } from "axios"   
    
async function send() {         
    const access_key = "XXXX"
    const secret_key = "XXXX"
    const method = 'POST';
    const service = 'execute-api';
    const host = 'dfadfadfdafda.execute-api.us-east-2.amazonaws.com';
    const region = 'us-east-2';
    const base = "https://"
    const content_type = 'application/json';

    // DynamoDB requires an x-amz-target header that has this format:
    //     DynamoDB_<API version>.<operationName>
    const amz_target = '';

    function getSignatureKey(key, dateStamp, regionName, serviceName) {
        var kDate = crypto.HmacSHA256(dateStamp, "AWS4"   key);
        var kRegion = crypto.HmacSHA256(regionName, kDate);
        var kService = crypto.HmacSHA256(serviceName, kRegion);
        var kSigning = crypto.HmacSHA256("aws4_request", kService);
        return kSigning;
    }

    // ************* TASK 1: CREATE A CANONICAL REQUEST *************
    // http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html

    // Step 1 is to define the verb (GET, POST, etc.)--already done.

    // Step 2: Create canonical URI--the part of the URI from domain to query 
    // string (use '/' if no path)
    // Create a date for headers and the credential string
    const amz_date = moment().utc().format("yyyyMMDDThhmmss")   "Z"
    const date_stamp =  moment().utc().format("yyyyMMDD")

    //// Step 3: Create the canonical query string. In this example, request
    // parameters are passed in the body of the request and the query string
    // is blank.
    const canonical_querystring = ''

    //## DOing step 6 first so that I can include the payload hash in the cannonical header, per https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html
    // Step 6: Create payload hash. In this example, the payload (body of
    // the request) contains the request parameters.
    //const payload_hash = hashlib.sha256(request_parameters.encode('utf-8')).hexdigest()
    const payload_hash = crypto.SHA256(request_parameters);

    // Step 4: Create the canonical headers. Header names must be trimmed
    // and lowercase, and sorted in code point order from low to high.
    // Note that there is a trailing \n.
    const canonical_headers = 'host:'   host   '\n'   'x-amz-content-sha256:'   payload_hash   '\n'   'x-amz-date:'   amz_date   '\n'
    
    // Step 5: Create the list of signed headers. This lists the headers
    // in the canonical_headers list, delimited with ";" and in alpha order.
    // Note: The request can include any headers; canonical_headers and
    // signed_headers include those that you want to be included in the
    // hash of the request. "Host" and "x-amz-date" are always required.
    const signed_headers = 'host;x-amz-content-sha256;x-amz-date'

    // Step 7: Combine elements to create canonical request
    const canonical_request = method   '\n'   canonical_uri   '\n'   canonical_querystring   '\n'   canonical_headers   '\n'   signed_headers   '\n'   payload_hash

    // ************* TASK 2: CREATE THE STRING TO SIGN*************
    // Match the algorithm to the hashing algorithm you use, either SHA-1 or
    // SHA-256 (recommended)
    const algorithm = 'AWS4-HMAC-SHA256'
    const credential_scope = date_stamp   '/'   region   '/'   service   '/'   'aws4_request'
    const string_to_sign = algorithm   '\n'    amz_date   '\n'    credential_scope   '\n'    crypto.SHA256(canonical_request);

    // ************* TASK 3: CALCULATE THE SIGNATURE *************
    // Create the signing key using the function defined above.
    const signing_key = getSignatureKey(secret_key, date_stamp, region, service)

    // Sign the string_to_sign using the signing_key
    const signature = crypto.HmacSHA256(string_to_sign, signing_key);
    // ************* TASK 4: ADD SIGNING INFORMATION TO THE REQUEST *************
    // Put the signature information in a header named Authorization.
    const authorization_header = algorithm   ' '   'Credential='   access_key   '/'   credential_scope   ', '    'SignedHeaders='   signed_headers   ', '   'Signature='   signature

    // For DynamoDB, the request can include any headers, but MUST include "host", "x-amz-date",
    // "x-amz-target", "content-type", and "Authorization". Except for the authorization
    // header, the headers must be included in the canonical_headers and signed_headers values, as
    // noted earlier. Order here is not significant.
    const headers = {
        'X-Amz-Content-Sha256':payload_hash, 
        'X-Amz-Date':amz_date,
        //'X-Amz-Target':amz_target,
        'Authorization':authorization_header,
        'Content-Type':content_type
    }

    // ************* SEND THE REQUEST *************
    var response = await axios({
        method: method,
        baseURL: base   host, 
        url: canonical_uri,
        data:request_parameters,
        headers: headers,
    });
    console.log(response)
}
  • Related