New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GovCloud and other partition issues in v4-sign-http-request #105
Comments
Thanks for the repro and pointer to the problem spot. It's very helpful. |
@bennyhahmeen I have a prototype solution. I was able to test it manually with every region except private regions (iso), china, and gov't regions. When attempting to test with a gov region, I get Would you be willing to test it? I'm assuming you have access to an account in a gov region. If that is correct, and you're willing to help out, please set your deps as listed below and try your example above. {:deps {com.cognitect.aws/api {:git/url "https://github.com/cognitect-labs/aws-api.git"
:sha "81bf067dd032d70e435a10687ce99b91cdb58999"}
com.cognitect.aws/endpoints {:mvn/version "1.1.11.670"}
com.cognitect.aws/sts {:mvn/version "770.2.568.0"}}} |
I do have valid credentials in the GovCloud partition and I was able to test using the the deps provided. I can confirm that the fix does allow me to call STS GetCallerIdentity successfully. I also tested another API in GovCloud partition (Organizations) and it works successfully as well. Thank you! That was quick. |
You're welcome! Your report pointed right at the problem and I just had to a little bit of research to find a good path. |
Addressed in ebeba57 (on master). |
Fix released in 0.8.408 |
Dependencies
Description with failing test case
v4-sign-http-request does not work with alternate AWS partitions such as GovCloud (aws-us-gov). This is due to logic defaulting to using the us-east-1 region to sign requests on global endpoints.
I would not expect to see credentials scoped to us-east-1 in GovCloud. Global endpoints are only global per partition.
The request references the correct endpoint, but the request is signed with the wrong credential scope as shown in the authorization headers:
Problem Source
In v4-sign-http-request:
To make matters more complicated, global endpoints may only be global in certain regions. STS in GovCloud is not a global endpoint according to the docs, Javascript SDK (clearest example of partition variations), and the Java SDK.
Failing test
The text was updated successfully, but these errors were encountered: