I'm curious if this is something you've tried or how it can be achieved, I keep getting error code 400 - BAD REQUEST

I'm able to use this similar code to retrieve private files from S3

Here is what i'm currently doing:

SES_REGION = "us-west-2"
SES_HOST   = "email.#{SES_REGION}.amazonaws.com"
KEY        = ENV["AWS_ACCESS_KEY"]
SECRET     = ENV["AWS_SECRET_KEY"]

private def creds
  Awscr::Signer::Credentials.new(KEY, SECRET)
end

private def ses_scope
  Awscr::Signer::Scope.new(SES_REGION, "ses")
end

url = String.build do |io|
  HTTP::Params.from_hash({
    "Action"                           => "SendEmail",
    "Source"                           => "[email protected]",
    "Destination.ToAddresses.member.1" => "[email protected]",
    "Message.Subject.Data"             => "test",
    "Message.Body.Text.Data"           => "test",
  }).to_s(io)
end

client = HTTP::Client.new(SES_HOST, 443, true)
client.before_request do |request|
  request.headers["Host"] = SES_HOST
  signer = Awscr::Signer::V4.new(request, ses_scope, creds)
  signer.sign
end

resp = client.get(url)

I think changing the symbol :sha256 to the enum OpenSSL::Algorithm::SHA256 fixes it.

Fall back to using the meta-data interface to fill in credential information if none is provided.
This will allow users to invoke AWS calls via say the sqs shard without having credentials in cases
where the instance is authorized via IAM.

current v0.8.0 tag points to 0.7.0 of shard.yml.

$ git show v0.8.0:shard.yml | grep version
version: 0.7.0

This forces shards build to fetch repository always.

Fetching https://github.com/taylorfinnell/awscr-signer.git
Installing awscr-signer (0.7.0 at 0.8.0)

Could you re-tag to f5fd505 or create a new tag v0.8.1 to current master?

In lib/awscr-signer/src/awscr-signer/v4/request.cr:82:18

 82 | digest.hexdigest
             ^--------
Error: undefined method 'hexdigest' for OpenSSL::Digest

might be relevant: crystal-lang/crystal@4e8e004#diff-75cbd05563611e7b97060fe6f1d4bacccec49e3d2d0934f04d3bdba2fec0d244

When a long lived HTTP connection times out and the http client has to reconnect the before_request will be executed again, but then there are already headers which I think this code will use: https://github.com/taylorfinnell/awscr-signer/blob/master/src/awscr-signer/signers/v4.cr#L83-L85

but that results in a InvalidSignatureException. It can be solved by deleting the headers first:

      @http.before_request do |request|
        request.headers.delete "Authorization"
        request.headers.delete "X-Amz-Content-Sha256"
        request.headers.delete "X-Amz-Date"
        signer.sign(request)
      end

My AWS client (hand-rolled because I need a few different services) uses a connection pool to avoid opening a new connection on every request, so it uses the Connection: keep-alive header.

When signing an S3-compatible request to DigitalOcean Spaces with that header in place, I get the following response:

<?xml version=\"1.0\" encoding=\"UTF-8\"?>
<Error>
  <Code>SignatureDoesNotMatch</Code>
  <RequestId>tx00000000000001dd041f0-005f164aec-364b4af-nyc3a</RequestId>
  <HostId>364b4af-nyc3a-nyc</HostId>
</Error>

Removing Connection: keep-alive or using AWS works just fine. It seems to be the combination of DO + the header. To be clear, I think this is actually an issue with DigitalOcean since it works fine with S3, but the fact that the official S3 libraries (which also hold connections open in a connection pool) work fine on DO Spaces seems to indicate that this shard may be doing something different with that particular header.

Hi,

First of all thank you for the great work on the signer.

It works flawlessly on Mac OS X but I cannot get it to work on Linux. I have tried it in a CentOS 8 container and a the official Crystal Lang/alpine container with no luck.

Details:

Mac OS X:

crystal version -v
Crystal 1.0.0 (2021-03-22)

LLVM: 9.0.1
Default target: x86_64-apple-macosx

shards list
Shards installed:
  * awscr-signer (0.8.2)

Linux:

I'm using the Alpine Linux Docker container:

crystallang/crystal:latest-alpine

crystal --version
Crystal 1.0.0 [dd40a2442] (2021-03-22)

LLVM: 10.0.0
Default target: x86_64-unknown-linux-musl

shards list
Shards installed:
  * awscr-signer (0.8.2)

The error on Linux is:

<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><AWSAccessKeyId><----REDACTED----></AWSAccessKeyId><StringToSign>AWS4-HMAC-SHA256
20210514T222850Z
20210514/us-west-2/s3/aws4_request

I use the exact same credentials in both cases. Any thoughts on what may be going wrong?

Thanks!

Trying to generate an expiring s3 url, if I add ?Expires=#{epoch_time}" to the request url, it seems Expires` is removed from the url and is not added into headers.

Perhaps I'm doing something wrong.

awscr-s3 points to [email protected], which does not satisfy the crystal 1.0.0 compatibility. See for details:

crystal-community/timecop.cr#7 (comment)

Actions to be taken:

• release latest awscr-signer
• release awscr-s3 pointing to the latest awscr-signer in shard.yml