0

I will show you my signing request.

https://ec2.eu-west-1.amazonaws.com?AWSAccessKeyId=THISISFAKEIDD
&Action=AuthorizeSecurityGroupIngress
&GroupId=sg-blahblah
&IpPermissions.1.FromPort=7264
&IpPermissions.1.IpProtocol=ani
&IpPermissions.1.IpRanges.1.CidrIp=272.64.292.200%2F32
&IpPermissions.1.ToPort=7264
&SignatureMethod=HmacSHA256
&SignatureVersion=2
&Timestamp=2014-06-10T05%3A25%3A10Z
&Version=2014-05-01
&Signature=FZgxzY0htCocacolaX4PXf0uJjnwmayhemDavkwCUw=

Signature was generated & this request was able to add my IP address (272.64.292.200) successfully into the security group (sg-blahblah). So that means, this request is correct & there is no error in my code for generating the signature.

OK. Now when I try to add another IP-address to the same group using the same signing request with a different IP-address parameter & Timestamp, a new signature is generated. But I am not able to add it to the security group. Signature Does not match. Calculated signature does not match is shown.

Why is that so?? I use UTC time. If my request was incorrect, How was I able to add IP address at the first place?? Or, is it an error from the server side of EC2??

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Smokey
  • 1,857
  • 6
  • 33
  • 63
  • Note that sometimes the signature has chars that need URL encoding. That can make some requests work, and some not. – BraveNewCurrency Jun 11 '14 at 05:47
  • Which chars should I encode??? I think I did url encoding. @BraveNewCurrency – Smokey Jun 11 '14 at 07:24
  • 1
    Your URL encoding is not right. It's encoding "/" and ":" in the query param (not needed). Sometimes the "=" at the end of the signature needs to be encoded (even though the standard says not). http://blog.lunatech.com/2009/02/03/what-every-web-developer-must-know-about-url-encoding – BraveNewCurrency Jun 18 '14 at 03:33

1 Answers1

1

It looks like you did some urlencoding, but you missed one thing... the value for the signature.

&Signature=FZgxzY0htCocacolaX4PXf0uJjnwmayhemDavkwCUw=   (incorrect)
&Signature=FZgxzY0htCocacolaX4PXf0uJjnwmayhemDavkwCUw%3D (correct)

If you urlencode this value, that should be what you are missing. Having any of =+/ unencoded in the signature will break it.

Michael - sqlbot
  • 169,571
  • 25
  • 353
  • 427