Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deprecate signature v2 and signature v3 authentication #83

Open
sleg-aws opened this issue Jan 21, 2021 · 18 comments
Open

Deprecate signature v2 and signature v3 authentication #83

sleg-aws opened this issue Jan 21, 2021 · 18 comments

Comments

@sleg-aws
Copy link

AWS SES is deprecating those 2 signing methods for authentication. The only method supported in the future will be signature v4.
@makrmark
Copy link

I'm getting this warning from AWS but I'm already running version 0.7.1 (the advice in email is to update to latest).

@sleg-aws
Copy link
Author

sleg-aws commented Mar 23, 2021
edited

The latest version doesn't have #82 merged, so as long as the code path you're taking in this lib is relying on sigv2, you'll get notifications from AWS.

@makrmark
Copy link

So, sorry, but when is #82 going to be merged for release?

@sleg-aws
Copy link
Author

you don't need #82 to use sigv4. #82 is making it the default, but you can already have sigv4 calls with current version of the lib by explicitly picking sigv4 by specifying :signature_version => 4 when creating AWS::SES::Base.new

@makrmark
Copy link

Okay great thanks for this advice. However when I implemented this I got an error:

[ActiveJob] [ActionMailer::DeliveryJob] [e917a956-2340-43e0-a51d-a6553fbe2323] Error performing ActionMailer::DeliveryJob (Job ID: e917a956-2340-43e0-a51d-a6553fbe2323) from Async(mailers) in 1515.03ms: AWS::SES::ResponseError (IncompleteSignature - Request must contain a signature that conforms to AWS standards):

My initializer:

Rails.application.reloader.to_prepare do
        ActionMailer::Base.add_delivery_method :ses, AWS::SES::Base,
          access_key_id: ENV['AMAZON_ACCESS_ID'],
          secret_access_key: ENV['AMAZON_SECRET_KEY'],
          signature_version: 4
end

When I remove signature_version: 4 everything works again.

@sleg-aws
Copy link
Author

sleg-aws commented Mar 30, 2021
edited

You're getting this error because something is off when AWS compares the signature computed server-side versus the signature computed in this lib. Try providing the region as well, it's used for sigv4 signature calculation (in 'sig_v4_auth_signature'. I don't know particularly know this lib or ruby, but I guess the sigv4 implementation may not be properly handling this, or something else (timestamp?).

@makrmark
Copy link

Sadly this is not working for me. I was anyway on the default domain for SES.
I tried a number of variations including the below (I added region: 'us-east-1' out of desperation).

Rails.application.reloader.to_prepare do
	ActionMailer::Base.add_delivery_method :ses, AWS::SES::Base,
	  access_key_id: ENV['AMAZON_ACCESS_ID'],
	  secret_access_key: ENV['AMAZON_SECRET_KEY'],
	  signature_version: 4,
	  region: 'us-east-1',
	  server: 'email.us-east-1.amazonaws.com',
	  message_id_domain: 'us-east-1.amazonses.com'
end

However I still get the error. Any idea why this is the case?

@gustianyuza
Copy link

I also get an error like this, has anyone solved this problem

@volonterx
Copy link

volonterx commented Mar 31, 2021
edited

@svmax provided solution for this in next issue:
#78
Worked for me.

Tried @svmax PR #79 - seems to work now without the error!
Hopefully the AWS warning emails will come to an end now.

For reference for other interested parties:

  • I've added signature_version 4 to the credentials:
 ActionMailer::Base.add_delivery_method :ses, AWS::SES::Base, secrets...ses_credentials.merge(signature_version: 4)

And referenced the fork as a Gem:

# TODO: https://github.com/drewblas/aws-ses/pull/79
gem "aws-ses", git: "https://github.com/zebitex/aws-ses.git", ref: "78-sigv4-problem"

Until version >= 0.7.2 will be released.

@makrmark
Copy link

Thanks @volonterx - looks like that is far more significant than just adding signature_version: 4 into the options. Before I go using it though when can we expect the formal release? The Amazon emails suggest previous versions are already deprecated and I'm "in breach" by not using V4.

Amazon Simple Email Service (SES) had extended support for Signature Version 3 to February 28th, 2021. To continue to use Amazon SES, you must migrate to Signature Version 4 which offers enhanced security for authentication and authorization of Amazon SES customers.

@volonterx
Copy link

volonterx commented Mar 31, 2021
edited

@makrmark, here #78 (comment) @dnalbach said that @drewblas has no activity on GitHub since November '20, so it highly likely that it will be never released.
Also he suggested to use official aws-sdk-rails gem. You can find examples of working with SES here:
https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/ses-example-send-email.html
And it uses signature v4 by default.

If as temporary solution you want to use "78-sigv4-problem" PR, make sure you provided :signature_version and :region in settings.

looks like that is far more significant than just adding signature_version: 4 into the options

Yeah, as I can see from #79 diff it has changes in structure and format of data that are not compatible with signature v3.

@makrmark
Copy link

makrmark commented Apr 1, 2021

Thanks @volonterx that's good advice - I updated to the official gem now and all appears fine. Will monitor for further messages from AWS :-)

@dorianmariecom
Copy link

thanks everyone, to summarize:

in Gemfile:

gem "aws-ses",
    github: "zebitex/aws-ses",
    branch: "78-sigv4-problem",
    require: "aws/ses"

in config/initializers/amazon_ses.rb:

Rails
  .application
  .reloader
  .to_prepare do
    ActionMailer::Base.add_delivery_method(
      :ses,
      AWS::SES::Base,
      access_key_id: ENV["AWS_ACCESS_KEY_ID"],
      secret_access_key: ENV["AWS_SECRET_ACCESS_KEY"],
      signature_version: 4,
      region: ENV["AWS_SES_REGION"]
    )
  end

(the to_prepare is for Zeitwerk)

@hartator
Copy link

hartator commented Apr 9, 2021

Even simpler:

gem "aws-ses", github: "sertangulveren/aws-ses", require: "aws/ses"

@sertangulveren's branch works directly by just defaulting to signature version 4.

Maybe @sertangulveren can fork the gem to something like gem "aws-ses-v4" if @drewblas is not responsive? I don't mind forking it if @sertangulveren doesn't want to. That's too bad to lose that work, it fits so nicely in Rails. ❤️

@ilyazub ilyazub mentioned this issue Apr 9, 2021
Open
@sertangulveren
Copy link

@hartator I published a version as you specified. It can be used as follows:

gem "aws-ses-v4", require: "aws/ses"

@drewblas can update the main repo later.

@ilyazub
Copy link

ilyazub commented Apr 12, 2021
edited

Switching to the official aws-sdk-rails fixed these errors (#78 (comment)). @dnalbach and @volonterx, thank you!

@frommelmak
Copy link

The gem aws-ses-v4 worked for me after uninstall the original aws-ses gem. Thanks @sertangulveren !

gem uninstall aws-ses
gem install aws-ses-v4

@johnnyshields
Copy link

You may want to check out https://github.com/tablecheck/mail-ses. It uses the official AWS SDK under the hood.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@johnnyshields @ilyazub @hartator @makrmark @volonterx @frommelmak @sertangulveren @gustianyuza @dorianmariecom @sleg-aws