DotNet Credential should be scoped to a valid region when using CloudFront KeyValueStore

[genifycom]

Describe the bug

Error: "Credential should be scoped to a valid region" when attempting to read keys from the CloudFront KeyValueStore.

Might be related to #1097 in the JS AWS-SDK

Expected Behavior

As per AWS CLI, the keys/values are returned from the KeyValueStore

Current Behavior

c# Exception with the Message "Credential should be scoped to a valid region"

Reproduction Steps

The following c# code dementrates the issue. Checked kvarn using AWS CLI and results return as expected.

`
BasicAWSCredentials creds = new BasicAWSCredentials(aws_access_key, aws_secret_key);

        AmazonCloudFrontKeyValueStoreConfig config = new();
        config.SignatureVersion = "v4"; //Tried with and without
        config.RegionEndpoint = RegionEndpoint.USWest1; //Region of the provided keys

        AmazonCloudFrontKeyValueStoreClient kvs = new(creds, config);

        ListKeysRequest request = new()
        {
            KvsARN = kvarn,
            MaxResults = 10
        };

        try
        {
            var result = await kvs.ListKeysAsync(request);
        }
        catch (Exception ex)
        {
            var msg = ex.Message; //Credential should be scoped to a valid region.
        }

`

Possible Solution

Maybe something with signing as per #1097 in the JS AWS-SDK

Additional Information/Context

No response

AWS .NET SDK and/or Package version used

Targeted .NET Platform

.NET Core .8

Operating System and version

Windows 11

[normj]

@genifycom This is a bug on our side. The CloudFront KeyValueStore service uses SigV4a for signing and our automations systems didn't pick that up and is signing with SigV4 which causes the error you are seeing. We will work to get this addressed so it uses SigV4a.

If you need an immediate work around you can subclass AmazonCloudFrontKeyValueStoreClient and override the CreateSigner to force SigV4a. Below is an example.

public class AmazonCloudFrontKeyValueStoreClientWithSigV4a : AmazonCloudFrontKeyValueStoreClient
{
    public AmazonCloudFrontKeyValueStoreClientWithSigV4a(AWSCredentials creds, AmazonCloudFrontKeyValueStoreConfig config)
        : base(creds, config) { }

    public AmazonCloudFrontKeyValueStoreClientWithSigV4a(AmazonCloudFrontKeyValueStoreConfig config)
        : base(config) { }

    protected override AbstractAWSSigner CreateSigner()
    {
        return new Amazon.Runtime.Internal.Auth.AWS4aSignerCRTWrapper();
    }
}

Since this is using SigV4a you also need to include the AWSSDK.Extensions.CrtIntegration NuGet package for your project.

[muhammad-othman]

Good day @genifycom
We've created a fix to this bug in this PR #3144.
It will be included in today's release which should complete before 4pm PST.

[genifycom]

Thanks so much!

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[muhammad-othman]

@genifycom The release is completed, please update CloudFrontKeyValueStore nuget package to v3.7.300.28
I've tested it with the same code that you provided which didn't work before this release.

[genifycom]

Don't forget to add NuGet AWSSDK.Extensions.CrtIntegration v3.7.300 as a dependency for CloudFrontKeyValueStore v3.7.300.28 otherwise this will not work.

Thanks

[genifycom]

I tested with Windows and everything is fine. Under Android (MAUI Android) however

result = await kvs.ListKeysAsync(request); //Gives "The type initializer for 'Aws.Crt.NativeAPI' threw an exception"

The call stack shows nothing useful.

Using the latest:

	<PackageReference Include="AWSSDK.CloudFrontKeyValueStore" Version="3.7.301.11" />
	<PackageReference Include="AWSSDK.Extensions.CrtIntegration" Version="3.7.300.1" />

[dscpinheiro]

Oh, I think this is an issue with the CRT library, as far as I know it doesn't support .NET bindings on Android / IOS.

We have a separate issue with the same root cause (#2126), I'll close this one and also follow up on the aws-crt-dotnet repo (awslabs/aws-crt-dotnet#90).

[github-actions]

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.