InvalidSignatureException: The request signature we calculated does not match the signature you provided. ...

[AndreMammes]

As the title says, we're getting this error when using iamlive, but only in proxy mode.

We're setting up AWS infrastructure via Terraform and the same code works just fine with iamlive in CSM mode.

I've noticed this error when working with DynamoDB resources, like tables. This simple configuration is enough to trigger it.

resource "aws_dynamodb_table" "dummy" {
  name = "dummy-iamlive-table"
  hash_key = "id"

  billing_mode = "PAY_PER_REQUEST"

  attribute {
    name = "id"
    type = "S"
  }
}

The complete error given by Terraform is:

Error: error creating DynamoDB Table: InvalidSignatureException: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

If it helps, we're running:

• go version go1.16.3 linux/amd64
• aws-cli/2.1.15 Python/3.7.3 Linux/5.11.11-200.fc33.x86_64 exe/x86_64.fedora.33 prompt/off
• Terraform v0.14.8 + provider registry.terraform.io/hashicorp/aws v3.39.0

I've used this tutorial as well, hoping to isolate iamlive from my local environment: https://dev.to/unfor19/determining-aws-iam-policies-according-to-terraform-and-aws-cli-27md

Could anyone point us in the right direction ?
Is there something that I'm doing wrong ?

[iann0036]

Hi @AndreMammes,

I don't know of anything obvious. You may want to try running it in your local environment to see if it's an issue with the Docker setup (which I'm not yet fully across).

[AndreMammes]

Hi @iann0036 ,

Thanks for the suggestion.

I just configured a fresh Fedora 34 VM, installed go 1.16.3, terraform 0.15.3 and aws cli 2.2.3.

I did an aws configure and validated it with aws sts get-caller-identity. All working fine.

Then, in one terminal window, I prepared my environment:

export HTTP_PROXY=http://127.0.0.1:10080 HTTPS_PROXY=http://127.0.0.1:10080 AWS_CA_BUNDLE=/home/andrei/.iamlive/ca.pem

In the other started the proxy:
iamlive --set-ini --mode proxy

But, using the same dynamoDB configuration file as before, got the same error when calling terraform apply on it:

Error: error creating DynamoDB Table: InvalidSignatureException: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

AWS CLI calls to create the table, with the exact same definition as the terraform code, work.

aws dynamodb create-table --table-name dummy-iamlive-table --attribute-definitions AttributeName=id,AttributeType=S --key-schema AttributeName=id,KeyType=HASH --region eu-west-1 --billing-mode PAY_PER_REQUEST

There must be a weird terraform behavior when interacting with dynamoDB resources, that is different from the others. Could it be related to the use of the CA certificate ?

Thanks for looking into this

[iann0036]

Hey @AndreMammes,

Appreciate the detailed help. I dived into this and found the culprit and discrepancy between Terraform and the AWS CLI behaviour.

In Terraform, the request being sent adds and Sigv4 signs the header Accept-Encoding: identity, which is something the AWS CLI does not do. This behaviour is due to a helper within the SDK that disables compression by setting this header. DynamoDB is the only service that has this configuration.

Additionally, the proxy library I'm using detects this header as a transport artifact and "helpfully" removes it. I have since removed this behaviour and tested that the DynamoDB request works within Terraform now.

Have a try with the latest release and let me know if that fixes your issue.

[AndreMammes]

I just fired up the VM and did a git pull and received the changes, then go install on it and updated the file in ~/go/bin.

Went back to my test Terraform configuration, ran a terraform apply but unfortunately the error is still there.

Did I miss a step ?

Thanks

[iann0036]

@AndreMammes,

Apologies, I screwed up the module vendoring. Try to git pull again now.

[AndreMammes]

No worries :)

$ go install
main.go:6:2: cannot find package "." in:
	/home/andrei/iamlive/vendor/github.com/iann0036/iamlive/iamlivecore

Does it install on your machine ?

[iann0036]

Looks like I screwed up my workspace altogether 😅

Try again now?

[AndreMammes]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

+1 very happy man :D

I'll run the entire infrastructure (plan, apply, destroy) through iamlive today and tomorrow and post any new findings :)

Thanks again for your efforts and fast response :) this project is a huge time saver ;)