-
Notifications
You must be signed in to change notification settings - Fork 597
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
InvalidSignatureException on retry after a call is throttled #533
Comments
It appears that the signature algorithm doesn't play well with the addition of the |
Thanks for creating this issue @anthonybgale I think the issue you are seeing is related to #521 like you mentioned. Something is modifying the request headers after the signature is getting created. Lets use #521 to track this issue. |
Fixes the SDK's adding the request metadata headers in the wrong location within the request handler stack. This created a situation where a request that was retried would sign the new attempt using the old value of the header. The header value would then be changed before sending the request. This moves the request invocation id to only occur during build, maintaining its value across all requests attempts. Also moves request retry metadata header to be before sign, and after build. This ensures that a new value for each attempt can be set, and included in each request attempt. Fix aws#533 Fix aws#521
Fixes the SDK's adding the request metadata headers in the wrong location within the request handler stack. This created a situation where a request that was retried would sign the new attempt using the old value of the header. The header value would then be changed before sending the request. This moves the request invocation id to only occur during build, maintaining its value across all requests attempts. Also moves request retry metadata header to be before sign, and after build. This ensures that a new value for each attempt can be set, and included in each request attempt. Fix aws#533 Fix aws#521
…537) Fixes the SDK's adding the request metadata headers in the wrong location within the request handler stack. This created a situation where a request that was retried would sign the new attempt using the old value of the header. The header value would then be changed before sending the request. This moves the request invocation id to only occur during build, maintaining its value across all requests attempts. Also moves request retry metadata header to be before sign, and after build. This ensures that a new value for each attempt can be set, and included in each request attempt. Fix #533 Fix #521
=== Breaking Change --- * `aws/endpoints`: Several functions and types have been removed * Removes `DecodeModel` and `DecodeModelOptions` from the package ([#509](#509)) * Remove Region Constants, Partition Constants, and types use for exploring the endpoint data model ([#512](#512)) * `service/s3/s3crypto`: Package and associated encryption/decryption clients have been removed from the SDK ([#511](#511)) * `aws/external`: Removes several export constants and types ([#508](#508)) * No longer exports AWS environment constants used by the external environment configuration loader * `DefaultSharedConfigProfile` is now defined an exported constant * `aws`: `ErrMissingRegion`, `ErrMissingEndpoint`, `ErrStaticCredentialsEmpty` are now concrete error types ([#510](#510)) Services --- * Synced the V2 SDK with latest AWS service API definitions. SDK Features --- * `aws/signer/v4`: New methods `SignHTTP` and `PresignHTTP` have been added ([#519](#519)) * `SignHTTP` replaces `Sign`, and usage of `Sign` should be migrated before it's removal at a later date * `PresignHTTP` replaces `Presign`, and usage of `Presign` should be migrated before it's removal at a later date * `DisableRequestBodyOverwrite` and `UnsignedPayload` are now deprecated options and have no effect on `SignHTTP` or `PresignHTTP`. These options will be removed at a later date. * `aws/external`: Add Support for setting a default fallback region and resolving region from EC2 IMDS ([#523](#523)) * `WithDefaultRegion` helper has been added which can be passed to `LoadDefaultAWSConfig` * This helper can be used to configure a default fallback region in the event a region fails to be resolved from other sources * Support has been added to resolve region using EC2 IMDS when available * The IMDS region will be used if region as not found configured in either the shared config or the process environment. * Fixes [#244](#244) * Fixes [#515](#515) SDK Enhancements --- * `service/dynamodb/expression`: Add IsSet helper for ConditionBuilder and KeyConditionBuilder ([#494](#494)) * Adds a IsSet helper for ConditionBuilder and KeyConditionBuilder to make it easier to determine if the condition builders have any conditions added to them. * Implements [#493](#493). * `internal/ini`: Normalize Section keys to lowercase ([#495](#495)) * Update's SDK's ini utility to store all keys as lowercase. This brings the SDK inline with the AWS CLI's behavior. SDK Bugs --- * `internal/sdk`: Fix SDK's UUID utility to handle partial read ([#536](#536)) * Fixes the SDK's UUID utility to correctly handle partial reads from its crypto rand source. This error was sometimes causing the SDK's InvocationID value to fail to be obtained, due to a partial read from crypto.Rand. * Fix [#534](#534) * `aws/defaults`: Fix request metadata headers causing signature errors ([#536](#536)) * Fixes the SDK's adding the request metadata headers in the wrong location within the request handler stack. This created a situation where a request that was retried would sign the new attempt using the old value of the header. The header value would then be changed before sending the request. * Fix [#533](#533) * Fix [#521](#521)
Breaking Change --- * `aws/endpoints`: Several functions and types have been removed * Removes `DecodeModel` and `DecodeModelOptions` from the package ([#509](#509)) * Remove Region Constants, Partition Constants, and types use for exploring the endpoint data model ([#512](#512)) * `service/s3/s3crypto`: Package and associated encryption/decryption clients have been removed from the SDK ([#511](#511)) * `aws/external`: Removes several export constants and types ([#508](#508)) * No longer exports AWS environment constants used by the external environment configuration loader * `DefaultSharedConfigProfile` is now defined an exported constant * `aws`: `ErrMissingRegion`, `ErrMissingEndpoint`, `ErrStaticCredentialsEmpty` are now concrete error types ([#510](#510)) Services --- * Synced the V2 SDK with latest AWS service API definitions. SDK Features --- * `aws/signer/v4`: New methods `SignHTTP` and `PresignHTTP` have been added ([#519](#519)) * `SignHTTP` replaces `Sign`, and usage of `Sign` should be migrated before it's removal at a later date * `PresignHTTP` replaces `Presign`, and usage of `Presign` should be migrated before it's removal at a later date * `DisableRequestBodyOverwrite` and `UnsignedPayload` are now deprecated options and have no effect on `SignHTTP` or `PresignHTTP`. These options will be removed at a later date. * `aws/external`: Add Support for setting a default fallback region and resolving region from EC2 IMDS ([#523](#523)) * `WithDefaultRegion` helper has been added which can be passed to `LoadDefaultAWSConfig` * This helper can be used to configure a default fallback region in the event a region fails to be resolved from other sources * Support has been added to resolve region using EC2 IMDS when available * The IMDS region will be used if region as not found configured in either the shared config or the process environment. * Fixes [#244](#244) * Fixes [#515](#515) SDK Enhancements --- * `service/dynamodb/expression`: Add IsSet helper for ConditionBuilder and KeyConditionBuilder ([#494](#494)) * Adds a IsSet helper for ConditionBuilder and KeyConditionBuilder to make it easier to determine if the condition builders have any conditions added to them. * Implements [#493](#493). * `internal/ini`: Normalize Section keys to lowercase ([#495](#495)) * Update's SDK's ini utility to store all keys as lowercase. This brings the SDK inline with the AWS CLI's behavior. SDK Bugs --- * `internal/sdk`: Fix SDK's UUID utility to handle partial read ([#536](#536)) * Fixes the SDK's UUID utility to correctly handle partial reads from its crypto rand source. This error was sometimes causing the SDK's InvocationID value to fail to be obtained, due to a partial read from crypto.Rand. * Fix [#534](#534) * `aws/defaults`: Fix request metadata headers causing signature errors ([#536](#536)) * Fixes the SDK's adding the request metadata headers in the wrong location within the request handler stack. This created a situation where a request that was retried would sign the new attempt using the old value of the header. The header value would then be changed before sending the request. * Fix [#533](#533) * Fix [#521](#521)
We've released this fix as a tagged released, v0.21.0. You should be able to update to pull in these fixes and updates. |
Confirm by changing [ ] to [x] below to ensure that it's a bug:
Describe the bug
Signatures don't appear to be valid for the retry of a throttled call (at least in macie:associateMemberAccount).
I had a case where I was consistently seeing an InvalidSignatureException error for the 52nd call in a loop after some minor maintenance and dependency upgrades. After debugging for a while I found that I consistently get the following output for the failed call using a log level of
aws.LogDebugWithHTTPBody
in my client config:You can see that retry does not appear to have a valid signature.
Version of AWS SDK for Go?
This seems to occur in all recent versions (tested 0.17.0 - 0.20.0)
Version of Go (
go version
)?1.14.1
To Reproduce (observed behavior)
I know this happens with macie:associateMemberAccount, not sure about other calls. To reproduce, make a call fast enough to get throttled. Observe the response from AWS when the call is retried.
Expected behavior
I expected the macie client to generate valid signatures for retries, as well as initial requests.
Additional context
This may be a duplicate of this issue.
The text was updated successfully, but these errors were encountered: