fix: AWS region selection for SigV4 signing unmanaged endpoints

[Zordrak]

Summary

A couple of bugs are reported with issues using HTTP Request with AWS Credentials. n8n uses SigV4 signing (as opposed to SigV4a) which requires that the service's region is included in the signing request, and the region must match the region the service endpoint is hosted in.

Mostly the problems seem to be S3, where the code expects that the second part of the URL will be a region (service.region.amazonaws.com), where with S3 it is slightly different (bucket.s3-region.amazonaws.com or bucket.s3.amazonaws.com), resulting in attempts to sign with service identifiers like "aws:amz:s3:s3" instead of "aws:amz:s3:us-east-1".

This PR should simultaneously fix the S3 issues, and issues where someone's default credentials specify a region they are working in, but they use a global endpoint such as IAM or Route53 where the URL does not contain a region, and being hosted in us-east-1, the only acceptable signing region is us-east-1.

This all said, I have personally come down this rabbit hole because I am having trouble using HTTP Request with AWS IAM, and the error I get is not that the region is unexpected, but that the signature doesn't match at all. I still haven't resolved this problem and I may have to resort to running local copies to do some deep debugging. However, if one of the team is able to check over this PR, and locally test the behaviour of using HTTP Request with AWS IAM, it may be that you can more quickly root out the problem. Ultimately it ought to be a simple use case to specify AWS credentials, and use them for an HTTP Request node:

• URL: https://iam.amazonaws.com/
• Type: POST (GET is also supported, but POST seems most canonical)
• Content-Type: x-www-url-encoded
• Content: Action=ListUsers&Version=2010-05-08

For anyone happening into this issue, the correct behaviour can be easily emulated with curl:

curl  \
  -X POST
  --user "${AWS_ACCESS_KEY_ID}":"${AWS_SECRET_ACCESS_KEY}" \
  --aws-sigv4 "aws:amz:us-east-1:iam" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d 'Action=ListUsers&Version=2010-05-08' \
  "https://iam.amazonaws.com/"

EDIT: The IAM issue is an unrelated bug for which a fix is offered in #14060

Related Linear tickets, Github issues, and Community forum posts

fixes #10459
fixes #12216
fixes N8N-7962
Related to (kinda): #14060

Review / Merge checklist

• PR title and summary are descriptive. (conventions)
• Docs updated or follow-up ticket created. -- NOTE As a pure bugfix, should require no docfix.
• Tests included.
• PR Labeled with release/backport (if the PR is an urgent fix that needs to be backported)

[CLAassistant]

All committers have signed the CLA.

[Joffcom]

Hey @Zordrak,

Thanks for the PR, We have created "GHC-1270" as the internal reference to get this reviewed.

One of us will be in touch if there are any changes needed, in most cases this is normally within a couple of weeks but it depends on the current workload of the team.