Skip to content

Cloudformation API calls using proxy fail with SignatureDoesNotMatch #1042

Open
lhole-kog opened this Issue Oct 10, 2012 · 1 comment

2 participants

@lhole-kog

I'm using Boto 2.6.0, Python 2.7.3 on Ubuntu 12.04 64bit.
When making calls to Cloudformation, I'm receiving a BotoServerError with a code of SignatureDoesNotMatch when I am behind a proxy. When not run from behind a proxy, this works fine. I'm specifying my aws_access_key_id and aws_secret_access_key as environment variables. I'm also specifying my proxy as the http_proxy environment variable.

Using methods from boto.ec2 works fine, as does not using a proxy (using the same code as below). As far as I can tell, all of the boto.cloudformation methods appear to exhibit this behaviour.

import boto.cloudformation
con = boto.cloudformation.connect_to_region("eu-west-1")
stacks = con.list_stacks()

BotoServerError                           Traceback (most recent call last)
<ipython-input-4-6cf69068d14c> in <module>()
----> 1 stacks = con.list_stacks()

/home/-/Virtualenv/cloud-demo-expiry-env/local/lib/python2.7/site-packages/boto/cloudformation/connection.pyc in list_stacks(self, stack_status_filters, next_token)
    348 
    349         return self.get_list('ListStacks', params,
--> 350                              [('member', StackSummary)])
    351 
    352     def validate_template(self, template_body=None, template_url=None):

/home/-/Virtualenv/cloud-demo-expiry-env/local/lib/python2.7/site-packages/boto/connection.pyc in get_list(self, action, params, markers, path, parent, verb)
    978             boto.log.error('%s %s' % (response.status, response.reason))
    979             boto.log.error('%s' % body)
--> 980             raise self.ResponseError(response.status, response.reason, body)
    981 
    982     def get_object(self, action, params, cls, path='/',

BotoServerError: BotoServerError: 403 Forbidden
<ErrorResponse xmlns="http://cloudformation.amazonaws.com/doc/2010-05-15/">
  <Error>
    <Type>Sender</Type>
    <Code>SignatureDoesNotMatch</Code>
    <Message>The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

The Canonical String for this request should have been
'GET
/
Action=ListStacks&amp;Version=2010-05-15
host:cloudformation.eu-west-1.amazonaws.com
x-amz-date:20121010T161236Z

host;x-amz-date
################################################################'

The String-to-Sign should have been
'AWS4-HMAC-SHA256
20121010T161236Z
20121010/eu-west-1/cloudformation/aws4_request
################################################################'
</Message>
  </Error>
  <RequestId>########-####-####-####-############</RequestId>
</ErrorResponse>

IDs obscured with #.

@pschoepf
pschoepf commented Nov 8, 2012

Hi I had the same problem. Solved it by "hacking" the connection.py of package boto.cloudformation as follows:

class CloudFormationConnection(AWSQueryConnection):
....
def _required_auth_capability(self):
#return ['hmac-v4']
return ['cloudformation']

--> That works also with proxy. Looks like the hmac-4 auth is broken in that area.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.