Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

InvalidSignatureException on retry after a call is throttled #533

Closed
3 tasks done
anthonybgale opened this issue Apr 16, 2020 · 3 comments · Fixed by #537 or #539
Closed
3 tasks done

InvalidSignatureException on retry after a call is throttled #533

anthonybgale opened this issue Apr 16, 2020 · 3 comments · Fixed by #537 or #539
Labels
bug This issue is a bug. duplicate This issue is a duplicate.

Comments

@anthonybgale
Copy link

anthonybgale commented Apr 16, 2020
edited

Confirm by changing [ ] to [x] below to ensure that it's a bug:

Describe the bug
Signatures don't appear to be valid for the retry of a throttled call (at least in macie:associateMemberAccount).

I had a case where I was consistently seeing an InvalidSignatureException error for the 52nd call in a loop after some minor maintenance and dependency upgrades. After debugging for a while I found that I consistently get the following output for the failed call using a log level of aws.LogDebugWithHTTPBody in my client config:

-----------------------------------------------------
2020/04/16 20:16:05 DEBUG: Request Amazon Macie/AssociateMemberAccount Details:
---[ REQUEST POST-SIGN ]-----------------------------
POST / HTTP/1.1
Host: macie.us-east-1.amazonaws.com
User-Agent: aws-sdk-go/0.20.0 (go1.14.1; linux; amd64) exec-env/AWS_Lambda_go1.x
Content-Length: 34
Authorization: AWS4-HMAC-SHA256 Credential=redacted/20200416/us-east-1/macie/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-security-token;x-amz-target, Signature=redacted
Content-Type: application/x-amz-json-1.1
X-Amz-Date: 20200416T201605Z
X-Amz-Security-Token: redacted
X-Amz-Target: MacieService.AssociateMemberAccount
Accept-Encoding: gzip

{"memberAccountId":"redacted"}
-----------------------------------------------------
2020/04/16 20:16:05 DEBUG: Response Amazon Macie/AssociateMemberAccount Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 400 Bad Request
Content-Length: 97
Content-Type: application/x-amz-json-1.1
Date: Thu, 16 Apr 2020 20:16:05 GMT
X-Amzn-Requestid: 4cc2265b-fde3-4e5d-8bc7-b0cd13cef6f2


-----------------------------------------------------
2020/04/16 20:16:05 {"__type":"ThrottlingException","message":"Rate exceeded for the key = aws-account:redacted"}
2020/04/16 20:16:05 DEBUG: Request Amazon Macie/AssociateMemberAccount Details:
---[ REQUEST POST-SIGN ]-----------------------------
POST / HTTP/1.1
Host: macie.us-east-1.amazonaws.com
User-Agent: aws-sdk-go/0.20.0 (go1.14.1; linux; amd64) exec-env/AWS_Lambda_go1.x
Content-Length: 34
Amz-Sdk-Invocation-Id: 672A9DD0-0588-4A2F-9FDC-0E338ACCEBB7
Amz-Sdk-Request: attempt=1; max=3
Authorization: AWS4-HMAC-SHA256 Credential=redacted/20200416/us-east-1/macie/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-date;x-amz-security-token;x-amz-target, Signature=redacted
Content-Type: application/x-amz-json-1.1
X-Amz-Date: 20200416T201605Z
X-Amz-Security-Token: redacted
X-Amz-Target: MacieService.AssociateMemberAccount
Accept-Encoding: gzip

{"memberAccountId":"redacted"}
-----------------------------------------------------
2020/04/16 20:16:05 DEBUG: Response Amazon Macie/AssociateMemberAccount Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 400 Bad Request
Content-Length: 229
Content-Type: application/x-amz-json-1.1
Date: Thu, 16 Apr 2020 20:16:05 GMT
X-Amzn-Requestid: db86761e-6fcd-4575-a9bf-851d35f8525d


-----------------------------------------------------
2020/04/16 20:16:05 {"__type":"InvalidSignatureException","message":"The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details."}
---[ REQUEST POST-SIGN ]-----------------------------

You can see that retry does not appear to have a valid signature.

Version of AWS SDK for Go?
This seems to occur in all recent versions (tested 0.17.0 - 0.20.0)

Version of Go (go version)?
1.14.1

To Reproduce (observed behavior)
I know this happens with macie:associateMemberAccount, not sure about other calls. To reproduce, make a call fast enough to get throttled. Observe the response from AWS when the call is retried.

Expected behavior
I expected the macie client to generate valid signatures for retries, as well as initial requests.

Additional context

This may be a duplicate of this issue.
@anthonybgale anthonybgale changed the title InvalidSignatureException on 52nd and later calls with Macie client in AWS Lambda starting with v0.19.0 InvalidSignatureException on retry after a call is throttled Apr 16, 2020
@anthonybgale
Copy link
Author

It appears that the signature algorithm doesn't play well with the addition of the Amz-Sdk-Invocation-Id and Amz-Sdk-Request headers added to the signed headers on retry. If I blacklist those headers here then I don't have the issue with retries after throttle.

@jasdel jasdel mentioned this issue Apr 21, 2020
Closed
3 tasks
@jasdel jasdel added bug This issue is a bug. duplicate This issue is a duplicate. labels Apr 21, 2020
@jasdel
Copy link
Contributor

jasdel commented Apr 21, 2020

Thanks for creating this issue @anthonybgale I think the issue you are seeing is related to #521 like you mentioned. Something is modifying the request headers after the signature is getting created. Lets use #521 to track this issue.

@jasdel jasdel closed this as completed Apr 21, 2020
jasdel added a commit to jasdel/aws-sdk-go-v2 that referenced this issue Apr 21, 2020
@jasdel
aws/defaults: Fix request metadata headers causing signature errors
cad4cb9 
Fixes the SDK's adding the request metadata headers in the wrong
location within the request handler stack. This created a situation
where a request that was retried would sign the new attempt using the
old value of the header. The header value would then be changed before
sending the request.

This moves the request invocation id to only occur during build,
maintaining its value across all requests attempts. Also moves request
retry metadata header to be before sign, and after build. This ensures
that a new value for each attempt can be set, and included in each
request attempt.

Fix aws#533
Fix aws#521
@jasdel jasdel mentioned this issue Apr 21, 2020
Merged
jasdel added a commit to jasdel/aws-sdk-go-v2 that referenced this issue Apr 21, 2020
@jasdel
aws/defaults: Fix request metadata headers causing signature errors
0bc8ac2 
Fixes the SDK's adding the request metadata headers in the wrong
location within the request handler stack. This created a situation
where a request that was retried would sign the new attempt using the
old value of the header. The header value would then be changed before
sending the request.

This moves the request invocation id to only occur during build,
maintaining its value across all requests attempts. Also moves request
retry metadata header to be before sign, and after build. This ensures
that a new value for each attempt can be set, and included in each
request attempt.

Fix aws#533
Fix aws#521
jasdel added a commit that referenced this issue Apr 21, 2020
@jasdel
aws/defaults: Fix request metadata headers causing signature errors (#…
fd01a01 
…537)

Fixes the SDK's adding the request metadata headers in the wrong
location within the request handler stack. This created a situation
where a request that was retried would sign the new attempt using the
old value of the header. The header value would then be changed before
sending the request.

This moves the request invocation id to only occur during build,
maintaining its value across all requests attempts. Also moves request
retry metadata header to be before sign, and after build. This ensures
that a new value for each attempt can be set, and included in each
request attempt.

Fix #533
Fix #521
jasdel added a commit that referenced this issue Apr 21, 2020
@jasdel
Release v0.21.0 (2020-04-21)
1d45499 
===

Breaking Change
---
* `aws/endpoints`: Several functions and types have been removed
  * Removes `DecodeModel` and `DecodeModelOptions` from the package ([#509](#509))
  * Remove Region Constants, Partition Constants, and types use for exploring the endpoint data model ([#512](#512))
* `service/s3/s3crypto`: Package and associated encryption/decryption clients have been removed from the SDK ([#511](#511))
* `aws/external`: Removes several export constants and types ([#508](#508))
  * No longer exports AWS environment constants used by the external environment configuration loader
  * `DefaultSharedConfigProfile` is now defined an exported constant
* `aws`: `ErrMissingRegion`, `ErrMissingEndpoint`, `ErrStaticCredentialsEmpty` are now concrete error types ([#510](#510))

Services
---
* Synced the V2 SDK with latest AWS service API definitions.

SDK Features
---
* `aws/signer/v4`: New methods `SignHTTP` and `PresignHTTP` have been added ([#519](#519))
  * `SignHTTP` replaces `Sign`, and usage of `Sign` should be migrated before it's removal at a later date
  * `PresignHTTP` replaces `Presign`, and usage of `Presign` should be migrated before it's removal at a later date
  * `DisableRequestBodyOverwrite` and `UnsignedPayload` are now deprecated options and have no effect on `SignHTTP` or `PresignHTTP`. These options will be removed at a later date.
* `aws/external`: Add Support for setting a default fallback region and resolving region from EC2 IMDS ([#523](#523))
  * `WithDefaultRegion` helper has been added which can be passed to `LoadDefaultAWSConfig`
    * This helper can be used to configure a default fallback region in the event a region fails to be resolved from other sources
  * Support has been added to resolve region using EC2 IMDS when available
    * The IMDS region will be used if region as not found configured in either the shared config or the process environment.
  * Fixes [#244](#244)
  * Fixes [#515](#515)
SDK Enhancements
---
* `service/dynamodb/expression`: Add IsSet helper for ConditionBuilder and KeyConditionBuilder ([#494](#494))
  * Adds a IsSet helper for ConditionBuilder and KeyConditionBuilder to make it easier to determine if the condition builders have any conditions added to them.
  * Implements [#493](#493).
* `internal/ini`: Normalize Section keys to lowercase ([#495](#495))
  * Update's SDK's ini utility to store all keys as lowercase. This brings the SDK inline with the AWS CLI's behavior.

SDK Bugs
---
* `internal/sdk`: Fix SDK's UUID utility to handle partial read ([#536](#536))
  * Fixes the SDK's UUID utility to correctly handle partial reads from its crypto rand source. This error was sometimes causing the SDK's InvocationID value to fail to be obtained, due to a partial read from crypto.Rand.
  * Fix [#534](#534)
* `aws/defaults`: Fix request metadata headers causing signature errors ([#536](#536))
    * Fixes the SDK's adding the request metadata headers in the wrong location within the request handler stack. This created a situation where a request that was retried would sign the new attempt using the old value of the header. The header value would then be changed before sending the request.
    * Fix [#533](#533)
    * Fix [#521](#521)
@jasdel jasdel mentioned this issue Apr 21, 2020
Merged
jasdel added a commit that referenced this issue Apr 22, 2020
@jasdel
Release v0.21.0 (2020-04-21) (#539)
b8a3f09 
Breaking Change
---
* `aws/endpoints`: Several functions and types have been removed
  * Removes `DecodeModel` and `DecodeModelOptions` from the package ([#509](#509))
  * Remove Region Constants, Partition Constants, and types use for exploring the endpoint data model ([#512](#512))
* `service/s3/s3crypto`: Package and associated encryption/decryption clients have been removed from the SDK ([#511](#511))
* `aws/external`: Removes several export constants and types ([#508](#508))
  * No longer exports AWS environment constants used by the external environment configuration loader
  * `DefaultSharedConfigProfile` is now defined an exported constant
* `aws`: `ErrMissingRegion`, `ErrMissingEndpoint`, `ErrStaticCredentialsEmpty` are now concrete error types ([#510](#510))

Services
---
* Synced the V2 SDK with latest AWS service API definitions.

SDK Features
---
* `aws/signer/v4`: New methods `SignHTTP` and `PresignHTTP` have been added ([#519](#519))
  * `SignHTTP` replaces `Sign`, and usage of `Sign` should be migrated before it's removal at a later date
  * `PresignHTTP` replaces `Presign`, and usage of `Presign` should be migrated before it's removal at a later date
  * `DisableRequestBodyOverwrite` and `UnsignedPayload` are now deprecated options and have no effect on `SignHTTP` or `PresignHTTP`. These options will be removed at a later date.
* `aws/external`: Add Support for setting a default fallback region and resolving region from EC2 IMDS ([#523](#523))
  * `WithDefaultRegion` helper has been added which can be passed to `LoadDefaultAWSConfig`
    * This helper can be used to configure a default fallback region in the event a region fails to be resolved from other sources
  * Support has been added to resolve region using EC2 IMDS when available
    * The IMDS region will be used if region as not found configured in either the shared config or the process environment.
  * Fixes [#244](#244)
  * Fixes [#515](#515)

SDK Enhancements
---
* `service/dynamodb/expression`: Add IsSet helper for ConditionBuilder and KeyConditionBuilder ([#494](#494))
  * Adds a IsSet helper for ConditionBuilder and KeyConditionBuilder to make it easier to determine if the condition builders have any conditions added to them.
  * Implements [#493](#493).
* `internal/ini`: Normalize Section keys to lowercase ([#495](#495))
  * Update's SDK's ini utility to store all keys as lowercase. This brings the SDK inline with the AWS CLI's behavior.


SDK Bugs
---
* `internal/sdk`: Fix SDK's UUID utility to handle partial read ([#536](#536))
  * Fixes the SDK's UUID utility to correctly handle partial reads from its crypto rand source. This error was sometimes causing the SDK's InvocationID value to fail to be obtained, due to a partial read from crypto.Rand.
  * Fix [#534](#534)
* `aws/defaults`: Fix request metadata headers causing signature errors ([#536](#536))
    * Fixes the SDK's adding the request metadata headers in the wrong location within the request handler stack. This created a situation where a request that was retried would sign the new attempt using the old value of the header. The header value would then be changed before sending the request.
    * Fix [#533](#533)
    * Fix [#521](#521)
@jasdel
Copy link
Contributor

jasdel commented Apr 22, 2020

We've released this fix as a tagged released, v0.21.0. You should be able to update to pull in these fixes and updates.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue is a bug. duplicate This issue is a duplicate.
Projects
None yet
Milestone
No milestone
2 participants
@jasdel @anthonybgale