0

I am using CreatePolicy API to create a policy with specific permissions. Initially passed json code as a value to query string parameter "PolicyDocument" but the request failed with code 400 Bad request. While testing through postman found that we have to urlencode given policy document. This solution worked fine on postman but not on my HTTP Client. Error - "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details". Code is working fine for all other APIs even for IAM Get request, but failing when policy doc is being sent as a query string or as a body. Possibly there is something wrong while calculating the signature for IAM api with url encoded policy doc. Ref - https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html

  1. Tried passing policy doc as a request body and header - "Content-Type:application/x-www-form-urlencoded". (body is JSON converted to string)
  2. Tried passing policy doc as a query parameter which is url-encoded Note - Both these methods worked fine when testing them through postman
Sumit Patil
  • 21
  • 6
  • Can you get it to work based on the sample request [here](https://docs.aws.amazon.com/IAM/latest/APIReference/API_CreatePolicy.html)? – jarmod Jan 03 '23 at 17:45
  • No. If I use this same format the request fails in both postman and our client with 400 code. But if I urlencode that policy document then it works in postman as postman automatically creates AWS signature. But I don't know why its failing on my client (Note - all other requests working correctly) – Sumit Patil Jan 03 '23 at 17:52
  • Ex. POST /?Action=CreatePolicy&PolicyName=my-policy-59&PolicyDocument=%7B%22Version%22%3A%222012%2D10%2D17%22%2C%22Statemen......... – Sumit Patil Jan 03 '23 at 17:57
  • Auth header : AWS4-HMAC-SHA256 Credential=/20230103/us-east-1/iam/aws4_request, SignedHeaders=host;;x-amz-date, Signature=.........2372ad0.......... – Sumit Patil Jan 03 '23 at 17:58

1 Answers1

0

I solved that error -

  1. Transfer all your IAM API calls to 'us-east-1' region. Not sure why it is in that way but no other region works for IAM api calls except us-east-1.
  2. If you providing request body then best way is to URL encode that body and pass request header - "Content-Type: application/x-www-form-urlencoded"
Sumit Patil
  • 21
  • 6