How to sign a request with AWS4-HMAC-SHA256?

Question

I want to get the temporary credentials from the AWS STS service but no matter what I try I keep getting this error

<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <Error>
    <Type>Sender</Type>
    <Code>SignatureDoesNotMatch</Code>
    <Message>The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.</Message>
  </Error>
  <RequestId>661e2bc1-d3cf-4383-9227-5db05a0fb4e3</RequestId>
</ErrorResponse>

I'm 100% sure that my credentials are correct, I even tried it in postman and it works but what am I doing wrong? This is the code I have

import * as aws4 from 'aws4'

async getStsCredentials() {
    
  const awsCredentials = {
    accessKeyId: 'xxx',
    secretAccessKey: 'xxx',
    region: 'us-east-1', 
  };
  
  const params = {
    RoleArn: 'xxx', 
    RoleSessionName: 'test', 
    DurationSeconds: 3600, 
  };
  
  const endpoint = `https://sts.${awsCredentials.region}.amazonaws.com/?Version=2011-06-15&Action=AssumeRole&RoleSessionName=${params.RoleSessionName}&RoleArn=${encodeURIComponent(params.RoleArn)}&DurationSeconds=${params.DurationSeconds}`;
  
  const signedRequest = aws4.sign(
    {
      service: 'sts',
      region: awsCredentials.region,
      method: 'GET',
      host:`sts.${awsCredentials.region}.amazonaws.com`,
      path: endpoint,
    },
    awsCredentials
  );
  
  // Send the request
  fetch(endpoint, {
    headers:{
      'Authorization':signedRequest.headers.Authorization as string,
      'x-amz-date':signedRequest.headers['X-Amz-Date']as string
    }
  })
      .then((response) => response.text())
      .then((result) => console.log(result))
      .catch((error) => console.log('error', error));
}

score 1 · Answer 1 · answered Jul 31 '23 at 01:02

1

If you incorrectly calculated the canonical request or the string to sign, the signature verification step performed by the service fails with the error message you are seeing.
The error response includes the canonical request and the string to sign that the service calculated. You can compare these strings with the strings that you calculated.
You can also verify that you didn't send the request through a proxy that modifies the headers or the request.

answered Jul 31 '23 at 01:02

Piyush Mattoo

15,454
6
47
56

The thing is that it doesn't return the canonical request. That is the whole error message – Horuge Jul 31 '23 at 18:23

How to sign a request with AWS4-HMAC-SHA256?

1 Answers1