Layer7 API Management

  • Private Community
 View Only

  • 1.  AWS S3 Working Example

    Posted Dec 05, 2019 11:42 AM
    Hi All,
    I'm struggling to get a working policy to write to an AWS S3 bucket from CA API GW 9.4 using the AWS solution kit.

    I've seen the online docs. (AWS Assertion). But I can't it to run without error.  Can anyone supply a working example (or screenshots of) of a policy that writes to an S3 bucket.

    The error I'm returned from AWS is "SignatureDoesNotMatch" and I know this is something to do with the signing of the headers but I can't work out what's not lined up.

    Any help appreciated.

    Thanks in advance.

    Chris


  • 2.  RE: AWS S3 Working Example

    Broadcom Employee
    Posted Dec 05, 2019 03:14 PM

    Chris,
    I dont have 1 at the moment. I have done it in the past. You can open a case with support if you like. It would be nice to get further details but I realize it may be difficult to provide.
    Though I dont have my 9.4 gateway at the moment with the aws soloution kit. I do have the 9.2 version (where it was a tactical assertion). 

    This is what the working s3 looked like there.
    The base policy I Used pulled a file via ssh2 assertion then put it up in aws in my s3 bucket.


    But if you want to open a case and ask for me. Or provide a copy of your policy / configuration though that may be difficult in a public forum.
    Charlie.


    Original Message


  • 3.  RE: AWS S3 Working Example

    Posted Dec 06, 2019 03:02 AM
    Hi Charles,
    Thanks for the reply. I do have a case open and the details of my settings are on there. ID : 20117737. Trying posting on here because the clock is ticking.

    Looks like the old tactical assertion was significantly different to the later editions. In many ways it looks easier to use, but I guess more limited in usefulness.

    I know I'm very close to it working but am missing something, probably obvious.

    Kind Regards,

    Chris
    Original Message


  • 4.  RE: AWS S3 Working Example

    Broadcom Employee
    Posted Dec 06, 2019 01:23 PM
    I saw the case. I dont have a copy of your policy. I do have an old policy that did work with a similar configuration.
    aws s4 signer AND Route via https. 

    Will post the screenshots of s4 signer and route if it helps.

    x amz enc algo is AES256
    key is accesskey (base64 encoded)
    and md5 is generate security hash assertion of encodedkey

    The http route looks like, 

    I hope that helps in your en devour if not let me know. Your content header has a different case (which may be of concern). and different value. You didnt provide us your s4 signer content so we dont know how that is configured you can post it to the case if required. But I do recall this policy and configuration i am supplying working.

    Charlie.


    Original Message


  • 5.  RE: AWS S3 Working Example
    Best Answer

    Posted Dec 10, 2019 08:35 AM
    Charlie,

    Thanks for the response and your time. Your screen shots confirmed I wasn't going mad.

    Turns out the secret magic I was missing was "s3" needed to be lower case - I was using upper. As ever, it's easy when you know how!

    Kind regards,
    Chris
    Original Message


  • 6.  RE: AWS S3 Working Example

    Posted Feb 05, 2020 04:14 PM
      |   view attached
    I am facing issues with AWS4 signer. I raised the ticket but no help yet. The signature looks like not generating properly. 
    I am getting below error :

    The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.\n\nThe Canonical String for this request should have been\n'GET\n/namespaces/edhtest/types/books/data\n\nhost:api-dev.edh.starwave.com\nx-amz-date:20200205T205621Z\n\nhost;x-amz-date\ne3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'\n\nThe String-to-Sign should have been\n'AWS4-HMAC-SHA256\n20200205T205621Z\n20200205/us-west-2/execute-api/aws4_request\n7fdbbdc095a300d14a29b9a007bf5a30800e5c75a533d1b1886f26e5000ee5cc'\n"}"

    When I took the values from Postman and tested it works fine. Issue is with generating AWS4 signer values from API Gateway.

    Attached my aws4 signer. Any help would be appreciated. 

    Original Message


  • 7.  RE: AWS S3 Working Example

    Posted Apr 21, 2020 03:20 PM
    Hi Charles

    I believe I am having similar issues because I cannot connect to an AWS bucket via CA API Gateway, but I can do so with Postman.

    I get this error:
    "The request signature we calculated does not match the signature you provided. Check your key and signing method."

    I was comparing what I get from the aws4Auth.allheadervalues with what postman calculates and realized the difference is always on the signature, even when I force the date to be the same in the AWS 4 Signer as it was in the postman request.

    My request in postman is:
    GET https://in-dummy-images.s3.us-east-1.amazonaws.com/Test.jpg
    AccessKey: ***
    SecretKey: ***
    AWS Region: us-east-1
    Service Name: s3

    Could you please tell me what values should I insert in the AWS 4 Signer assertion to comply with those I put in Postman?

    I tried the follwing:
    Endpoint: https://in-dummy-images.s3.us-east-1.amazonaws.com/Test.jpg

    Method: GET

    Resource/ObjectName: /in-dummy-images/Test.jpg

    Region: us-east-1

    Date: Use Current Date (I also tried to put the same date as a request I've made in postman in order to compare the signature in the format yyyymmddThhmmssZ)

    Payload Context Variable:

    Header(s):
    x-amz-content-sha256:required

    AWS Access Key ID:***
    AWS Secret Access Key: ***

    Authorization Output Variable Prefix: aws4Auth

    Thank you


    Original Message