Troubles with making PutBot request (Lex)

[ababkin]

Hi

I'm trying to make this request to create a Lex Bot:
https://github.com/brendanhay/amazonka/blob/develop/amazonka-lex-models/gen/Network/AWS/LexModels/PutBot.hs

but getting the following error:

Status {statusCode = 403, statusMessage = "Forbidden"}, _serializeBody = Just "<InvalidSignatureException>\n <Message>Credential should be scoped to correct service: 'lex'. </Message>\n</InvalidSignatureException>\n"

I've inspected my request headers and here is what they look like:

headers = host: models.lex.us-east-1.amazonaws.com; x-amz-date: 20180624T174923Z; x-amz-content-sha256: 0ed319b8a63f5873950a061bbf833b48f12cad27e50fe68825b02439b91ed527; x-amz-security-token: FQoDYXdzEHsaDC590zzReKmLA74WHSLoAXCiQBeQ5aRGQbG8DTR5GOHi8lTQ5w9zKcdaPb0up8n3/nqlrT85Hr9GQc1JJXE/ERXLwAF/bC3ZI0Rsec5IFe2Ek1P2bqFN7/0aOCwrBjWuMZIWGmB2fW3LDcjUI/ZtVGcH1qtHLrYgrE3fNRPy63rZD3HrJsPGIHuarnvULKvsOeHqxqp75NV/uHOz7tVG16Ss8Qkgd0jU7eKkwfkY7BI1oz6DCDh8+UK6rVqQBGcrOGC52XAHgq6s1ZR889OencvVUJYvAVo3G1NT8lx2EbYc+bQ6pZ4odI99DCiVhUqg0ezh+Hl09BUoorO/2QU=; content-type: application/x-amz-json-1.1; authorization: AWS4-HMAC-SHA256 Credential=ASIAIE7I6HEFK2QIE45Q/20180624/us-east-1/models.lex/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=fe3fd9dd9978c8bfdd50d14beadf51280eb01447f7780c8d3f25be3b6104b8fd

in particular:

authorization: AWS4-HMAC-SHA256 Credential=ASIAIE7I6HEFK2QIE45Q/20180624/us-east-1/models.lex/aws4_request

So it looks like the endpoint does not like being signed with models.lex in the Credential, but wants it to be lex instead.

I found models.lex in here:
https://github.com/brendanhay/amazonka/blob/develop/amazonka-lex-models/gen/Network/AWS/LexModels/Types.hs#L232
So it looks like this drives what is being put into the Credential. I've tried changing it to lex, but the trouble is that it also uses that for the host, so it ends up changing the host models.lex.us-east-1.amazonaws.com -> lex.us-east-1.amazonaws.com, which is no bueno since this host does not even exist.

ConnectionFailure Network.Socket.getAddrInfo (called with preferred socket type/protocol: AddrInfo {addrFlags = [AI_ADDRCONFIG], addrFamily = AF_UNSPEC, addrSocketType = Stream, addrProtocol = 6, addrAddress = <assumed to be undefined>, addrCanonName = <assumed to be undefined>}, host name: Just "lex.us-east-1.amazonaws.com", service name: Just "443"): does not exist (Name or service not known)

So, to summarize, it looks to me that we need to have lex in the Credential, but models.lex in the host.

I've tried to look into how other services do this that have a composite name, but they all use dash throughout (e.g.: waf-regional ) so I suspect it's a new naming scheme for AWS services?

Before I try to jump into implementation, can someone confirm?

Thanks

Update:

it looks like there are several services that do use dot . in their service prefix, but i guess the host and credential scope are consistent for those.

Update2:

I've managed to get the credential scope to change models.lex -> lex, but aws did not like it:

host: models.lex.us-east-1.amazonaws.com; 
x-amz-date: 20180624T200115Z; 
x-amz-content-sha256: 0ed319b8a63f5873950a061bbf833b48f12cad27e50fe68825b02439b91ed527; 
x-amz-security-token: FQoDYXdzEH0aDK9OVE6iuvcWywS91CLoAYkbyIFsEV8s+ndsBp7ATqxfUY/3jobC5FnWDkZFv3qcTIDGXwyNEjqIT8HdqYsIrz/5ahcN60YMRsnT3n/gHFUv4aLLLCUAyzQJG8oK/om6ssL8nFqVH+QP7dl62hN9/KoohWzEjeKCTOzGbjLuhd8wcPBZNG9JQXXNMA+Q+NR8vrCAJnhZs4HOs3fotShg+SgJ9+DtjWry9GZ164J/0loPLXliMOXdlREOk5AgLk8MfcRH3d4BO60SnmUaUKINedv5Y4kDKwvuDHlp3QTvfsdlm+lnVCEc5HkYbqqErxEPR/6jy/xo+RMoivG/2QU=; 
content-type: application/x-amz-json-1.1; 
authorization: AWS4-HMAC-SHA256 Credential=ASIAIBTLJEYV5IAWDW2Q/20180624/us-east-1/lex/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date;x-amz-security-token, Signature=e08e8b9c5517280ea0cab69b5c9526fec3895515b71c0ebc349170b15491ed14

gives me the error:

The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

Update3

found relevant SO question: https://stackoverflow.com/questions/48007039/invalidsignatureexception-credential-should-be-scoped-to-correct-service-lex#

[ababkin]

Update4

So what aws reported the first time was correct, it needs to have lex as credential scope.
To verify this I've created a bot with CLI and this is from it's logs:

PUT
/bots/testbotcli/versions/%24LATEST

host:models.lex.us-east-1.amazonaws.com
x-amz-date:20180624T204810Z

host;x-amz-date
7dfd9368b652a2dc9fdf0978e861ad05cd4bc333873756e93a96c01ae1aef3a9
2018-06-24 16:48:10,962 - MainThread - botocore.auth - DEBUG - StringToSign:
AWS4-HMAC-SHA256
20180624T204810Z
20180624/us-east-1/lex/aws4_request

the command I used was:

aws lex-models put-bot --name "testbotcli" --locale en-US --no-child-directed --debug

now I'm stumped as to why I got the signature error in Update2

this was the change I made btw: https://github.com/ababkin/amazonka/commit/731a47ba47e39bbf72519d979b319a86d44b1d88#diff-1a961fc94b869322fc4283ae0f48746bR223

[ababkin]

bump, any word on this? I could try fixing it myself but I'd appreciate some guidance on how to go about fixing it

[endgame]

I suspect #622 has fixed this, as on develop it says:

amazonka/amazonka-lex-models/gen/Network/AWS/LexModels/Types.hs

Line 413 in ffdbd4b

Core._serviceSigningName = "lex",

Can you please reopen if you don't get any joy?