API calls fail after PHP upgrade

[Mis741]

Describe the bug

Hello Team,

I am running a PHP web application on a Win11+Apache 2.4 machine. After upgrading PHP from 8.3 -> 8.4.4 every API calls fails due to a credential issue. Everything worked fine with PHP 8.3. My credential file is stored in .aws in my user directory.

The exception message is: Could not resolve an authentication scheme: Signature V4 requires AWS credentials for request signing

Please ask for further information if necessary.

Kind regards
Michael

Here is the complete error stacktrace:

Exception: Could not resolve an authentication scheme: Signature V4 requires AWS credentials for request signing

#0 D:\Apps\Apache24\htdocs\Gimec4P\vendor\aws\aws-sdk-php\src\Auth\AuthSelectionMiddleware.php(87): Aws\Auth\AuthSchemeResolver->selectAuthScheme()
#1 D:\Apps\Apache24\htdocs\Gimec4P\vendor\aws\aws-sdk-php\src\Middleware.php(110): Aws\Auth\AuthSelectionMiddleware->__invoke()
#2 D:\Apps\Apache24\htdocs\Gimec4P\vendor\aws\aws-sdk-php\src\PresignUrlMiddleware.php(77): Aws\Middleware::{closure:{closure:Aws\Middleware::validation():93}:94}()
#3 D:\Apps\Apache24\htdocs\Gimec4P\vendor\aws\aws-sdk-php\src\IdempotencyTokenMiddleware.php(77): Aws\PresignUrlMiddleware->__invoke()
#4 D:\Apps\Apache24\htdocs\Gimec4P\vendor\aws\aws-sdk-php\src\AwsClientTrait.php(64): Aws\IdempotencyTokenMiddleware->__invoke()
#5 D:\Apps\Apache24\htdocs\Gimec4P\vendor\aws\aws-sdk-php\src\AwsClientTrait.php(58): Aws\AwsClient->executeAsync()
#6 D:\Apps\Apache24\htdocs\Gimec4P\vendor\aws\aws-sdk-php\src\AwsClientTrait.php(86): Aws\AwsClient->execute()
#7 D:\Apps\Apache24\htdocs\Gimec4P\Service\ServiceFunctions.php(747): Aws\AwsClient->__call()
#8 D:\Apps\Apache24\htdocs\Gimec4P\Controller\ProjectController.php(562): Gimec\Service\ServiceFunctions::stackInstances()
#9 D:\Apps\Apache24\htdocs\Gimec4P\index.php(46): Gimec\Controller\ProjectController->showProjectAction()
#10 {main}

Regression Issue

• Select this option if this issue appears to be a regression.

Expected Behavior

API call to be executed

Current Behavior

Every API call fails

Reproduction Steps

Client intializing works fine:

$ec2Client = new Ec2Client(
[
'version' => 'latest',
'region' =>'eu-central-1',
'profile' => 'my-profile',
]);

But executing the API call fails:

$result = $ec2Client->describeInstances();

Possible Solution

No response

Additional Information/Context

No response

SDK version used

AWS/SDK PHP 3.342.4

Environment details (Version of PHP (php -v)? OS name and version, etc.)

PHP 8.4.4

[yenfryherrerafeliz]

Hi @Mis741, I just did a little of investigation on this issue and the only explanation for this error is that the SDK client is not able to load credentials from any source, and the why for this it is unrelated to the SDK. In my case, even after upgrading to PHP 8.4 I have not issues while having my credentials in a shared aws file. So, you can try different things to understand what the issue may be, but my first suggestion would be to check if the PHP 8.4 installation is under another user ownership, because this could make the php executable to not have the permissions to read/load the resources from the .aws folder. Even if is not under another user ownership you may want to check its permissions. For this you could create a test php file that tries to read any file from that folder using the php 8.4 executable and from the same context you are normally running your application. But, please make sure you do not expose any sensitive information read from the credentials file.

I look forward to know how your investigation went.

Thanks!

[JBtje]

PHP 8.3.12, same problem using the latest version: 3.342.6

I downgraded to 3.339.17 and the error is gone and all is working as expected.

My assumption is that 'version' => 'latest', is the cause of the problem, and that latest has changed to a new version(?) that requires more or so?

[stobrien89]

Hi @JBtje,

I don't think it's related to the api version, but it's still difficult to say. The best way for us to determine the cause is to get debug log output. Could you provide us the output of a failed call after adding 'debug' => true to your service client? Please redact any sensitive information, such as account numbers.

[JBtje]

Though I have solved my problem, it is still unclear for my as to why it suddenly happened.

Lets start with the obvious: The error indicates that you are trying to do something with an AWS service, but did not provide any authentication.

Authentication can be done via:

• credentials provided directly
• .aws folder with credentials in the home folder (Make sure the folder is in the home directory of the user that runs PHP)
• IAM user on the EC2 instance (best practice)
• possibly more?

In my case, I'm trying to sign something using KMS which has worked since implementation. I thought that the version change 3.339.17 -> 3.342.6 was the cause, but one day later the same error happened with 3.339.17 meaning its not the SDK version that caused the problem.

For now, I set the credentials in the KmsClient, and everyone is happy again.

        $kmsClient = new KmsClient( [
            'region'  => config( 'kms.sign.region' ),
            'version' => 'latest',
            // added credentials
            'credentials' => [
                'key'    => config( 'kms.sign.key' ),
                'secret' => config( 'kms.sign.secret' ),
            ],
        ] );

[stobrien89]

Hi @JBtje,

Glad you were able to find a workaround. Would you mind telling (or showing) me how you were using KMS to sign things prior to these updates? We've made some changes to how auth schemes (v4, v4a, bearer, anonymous, etc.) are chosen and it seems we've overlooked something.

[JBtje]

The IAM role(?) that is allowed tot sign using KMS had the server IP addresses whitelisted "allowed". The server being an EC2 instance. Somehow this was enough to authenticatie and use the IAM role for signing. The IAM role is not attached to the instance, so the whitelist was all there was.