Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request is sent to RDS endpoint, but signed by docdb. #64

Open
moritalous opened this issue May 15, 2022 · 1 comment
Open

Request is sent to RDS endpoint, but signed by docdb. #64

moritalous opened this issue May 15, 2022 · 1 comment

Comments

@moritalous
Copy link

I have set up sig-v4-proxy with docker-compose.

version: "3"

services:
  sig-v4-proxy:
    image: public.ecr.aws/aws-observability/aws-sigv4-proxy:1.5
    volumes:
      - ./.aws:/root/.aws
    ports:
      - "8080:8080"
    environment:
      - AWS_SDK_LOAD_CONFIG=true
    command: ['-v']

I request rds.ap-northeast-1.amazonaws.com, but error due to signing by docdb service
(Sometimes it would be Neptune.)

curl -s -H 'host: rds.ap-northeast-1.amazonaws.com' 'http://localhost:8080/?Action=DescribeDBInstances&Version=2014-10-31'

<ErrorResponse xmlns="http://rds.amazonaws.com/doc/2014-10-31/">
  <Error>
    <Type>Sender</Type>
    <Code>SignatureDoesNotMatch</Code>
    <Message>Credential should be scoped to correct service: 'rds'. </Message>
  </Error>
  <RequestId>2c8dcc75-87c9-421a-8c5d-4818489f5d0f</RequestId>
</ErrorResponse>

Log

2205-sig-v4-proxy-1  | time="2022-05-15T13:58:38Z" level=debug msg="Initial request dump:" request="GET /?Action=DescribeDBInstances&Version=2014-10-31 HTTP/1.1\r\nHost: rds.ap-northeast-1.amazonaws.com\r\nAccept: */*\r\nUser-Agent: curl/7.68.0\r\n\r\n"
2205-sig-v4-proxy-1  | time="2022-05-15T13:58:38Z" level=info msg="DEBUG: Request Signature:\n---[ CANONICAL STRING  ]-----------------------------\nGET\n/\nAction=DescribeDBInstances&Version=2014-10-31\nhost:rds.ap-northeast-1.amazonaws.com\nx-amz-date:20220515T135838Z\n\nhost;x-amz-date\ne3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\n---[ STRING TO SIGN ]--------------------------------\nAWS4-HMAC-SHA256\n20220515T135838Z\n20220515/ap-northeast-1/docdb/aws4_request\n44422fd5808526e3aa2b9afc325b6b21c4cdcec2ce713f3144291252639facf9\n-----------------------------------------------------"
2205-sig-v4-proxy-1  | time="2022-05-15T13:58:38Z" level=debug msg="signed request" region=ap-northeast-1 service=docdb
2205-sig-v4-proxy-1  | time="2022-05-15T13:58:38Z" level=debug msg="proxying request" request="GET /?Action=DescribeDBInstances&Version=2014-10-31 HTTP/1.1\r\nHost: rds.ap-northeast-1.amazonaws.com\r\nAccept: */*\r\nAuthorization: AWS4-HMAC-SHA256 Credential=AKIA3SSOAQIFEARL35XE/20220515/ap-northeast-1/docdb/aws4_request, SignedHeaders=host;x-amz-date, Signature=785a279627141c870d8d6db25ab3a4d67f1191949ba067cb1f78187a2fa01d5c\r\nUser-Agent: curl/7.68.0\r\nX-Amz-Date: 20220515T135838Z\r\n\r\n"
2205-sig-v4-proxy-1  | time="2022-05-15T13:58:39Z" level=error msg="error proxying request" message="<ErrorResponse xmlns=\"http://rds.amazonaws.com/doc/2014-10-31/\">\n  <Error>\n    <Type>Sender</Type>\n    <Code>SignatureDoesNotMatch</Code>\n    <Message>Credential should be scoped to correct service: 'rds'. </Message>\n  </Error>\n  <RequestId>a717e22d-0016-4c7c-b1c2-cebbb01ff9b3</RequestId>\n</ErrorResponse>\n" request="GET https://rds.ap-northeast-1.amazonaws.com/?Action=DescribeDBInstances&Version=2014-10-31" status_code=403

Request to ec2 endpoint, work fine.

curl -s -H 'host: ec2.ap-northeast-1.amazonaws.com' 'http://localhost:8080/?Action=DescribeInstances&Version=2016-11-15'
@alvinlin123
Copy link
Collaborator

This is interesting, I will take a look. But as a workaround, you can use--name rds to override the service name.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alvinlin123 @moritalous