Workload Identity Federation AWS SignatureDoesNotMatch error from Windows EC2 instance

[bojeil-google]

Customer using workload identity federation in an EC2 Windows instance is getting the following error on token exchange:

Error Message:
    raise exceptions.OAuthError(error_details, response_body)
google.auth.exceptions.OAuthError: ('Error code invalid_grant: Received invalid AWS 
response of type SignatureDoesNotMatch with error message: The request signature we
calculated does not match the signature you provided. Check your AWS Secret Access 
Key and signing method. Consult the service documentation for details.',
'{"error":"invalid_grant","error_description":"Received invalid AWS response of type 
SignatureDoesNotMatch with error message: The request signature we calculated does 
not match the signature you provided. Check your AWS Secret Access Key and signing 
method. Consult the service documentation for details."}')

Issue is here:

google-auth-library-python/google/auth/aws.py

Line 121 in 93482c6

canonical_uri=os.path.normpath(uri.path or "/"),

For Windows OS:

PS C:\Users\Administrator> python
Python 3.9.6 (tags/v3.9.6:db3ff76, Jun 28 2021, 15:26:21) [MSC v.1929 64 bit (AMD64)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>>
>>> import os
>>> os.path.normpath("/")
'\\'

For Linux OS:

[ec2-user@ip-*** ~]$ python3
Python 3.7.10 (default, Jun  3 2021, 00:02:01)
[GCC 7.3.1 20180712 (Red Hat 7.3.1-13)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> os.path.normpath('/')
'/'

Environment details

• OS: AWS Windows EC2 instance
• Python version: All supported
• pip version: N/A
• google-auth version: All versions that support workload identity federation