Athena failing on Babashka with InvalidSignatureException #8
Comments
|
Verified that the same error occurs with JVM Clojure. |
|
I found the issue. Athena is expecting a canonical string like this: and we're generating a canonical string like this: The only difference is that our canonical string is missing the port in the whilst we have: I'll keep digging to see if I can understand why. |
|
I've been getting this error message when using lambda get-function-configuration. digging deeper, it's only for lambda versions that have snapstart enabled i.e. the snapstart feature has only been a part of the aws api for 6 months or so. I wonder if awyeah is out of sync with the latest aws api? could that cause Invalid signature exceptions across different apis? I updated to latest commit: fb9bd3d I also updated all the aws deps to the latest versions but same error. That exhausts everything I can think of. Happy to help build a test case if it's useful since I have an operation that works from aws CLI but not using this lib. Just need some direction on how to proceed. |
|
I finally have some time to look into this more. @stevebuik thanks for your repro report. I'll try to get things working for Athena, and hopefully that will fix your issue as well. I'll ping you once I either have something or get completely stuck. 😅 |
|
I've updated awyeah-api to catch up to aws-api cognitect-labs/aws-api@5900e35 Let me know if the issue you're seeing persists. |
|
Still failing for me, tragically. I'll keep digging. |
|
this update has fixed the exception I was getting using the Lambda api. thanks @jmglov I enjoyed reading your blog post. seems like you will need to dig deep to solve this one |
|
@stevebuik Glad to hear the updates fixed the issue. |
|
the problem was similar to Josh'. when calling :GetFunctionConfiguration I needed to append a :Version onto the end of the fn name in the args. This :Version suffix is a newer feature and broke the request signature when used with the earlier lib. Josh' blog post describes a similar thing where the Athena request has a slightly different shape. |
|
I suspect the issue with host and port is related to how java.net.http.HttpClient handles host headers (https://github.com/grzm/awyeah-api/blob/main/docs/porting-decisions.markdown#javanethttphttpclient-java-11-java-12-java-17) and how that impacts signing. |
|
On further investigation, appending the port number to the Open questions:
I'd like the fix to ensure there's no implicit coupling between the com.grzm.awyeah.http-client implementation (which handles the |
|
Well, it looks like by default the HttpClient sends only an authority header, not a host header. Assuming the logs are telling the tale, the AWS service is likely taking the For those playing along at home, I set |
|
@jmglov Try HEAD. (I haven't tagged or updated the README yet): com.grzm/awyeah-api {:git/url "https://github.com/grzm/awyeah-api"
:git/sha "e5513349a2fd8a980a62bbe0d45a0d55bfcea141"}Some AWS services (including athena) support HTTP/2, which uses the The alternative of selectively appending port to the host header of some services seems brittle: likely HTTP/2 support in AWS services is a moving target. |
|
@grzm Sorry for the long delay. 😬 I tested it and it worked! 🎉 (ns athena
(:require [com.grzm.awyeah.client.api :as aws]))
(comment
(def athena (aws/client {:api :athena, :region "eu-west-1"}))
;; => #'athena/athena
(aws/invoke athena {:op :ListWorkGroups
:request {}})
;; => {:WorkGroups
;; [{:Name "primary",
;; :State "ENABLED",
;; :Description "",
;; :CreationTime #inst "2023-06-04T11:35:15.000-00:00",
;; :EngineVersion
;; {:SelectedEngineVersion "AUTO",
;; :EffectiveEngineVersion "Athena engine version 3"}}]}
) |
|
Thanks for confirming! Tagged and README updated. Thanks for the detailed report. The example was particularly helpful. |
|
Sure thing! Thanks for fixing it! 🙂 |
All requests to the Athena service seem to be failing with
InvalidSignatureException. I'm using babashka v1.3.176 with abb.ednlike this:{:deps {com.cognitect.aws/endpoints {:mvn/version "1.1.12.478"} com.cognitect.aws/athena {:mvn/version "847.2.1387.0"} com.grzm/awyeah-api {:git/url "https://github.com/grzm/awyeah-api" :git/sha "9257dc0159640e46803d69210cae838d411f1789" :git/tag "v0.8.41"} org.babashka/spec.alpha {:git/url "https://github.com/babashka/spec.alpha" :git/sha "8df0712896f596680da7a32ae44bb000b7e45e68"}}}And am doing the following:
This fails with:
{:__type "InvalidSignatureException" :message "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.\n\nThe Canonical String for this request should have been\n'POST\n/\n\naccept:application/json\ncontent-type:application/x-amz-json-1.1\nhost:athena.eu-west-1.amazonaws.com:443\nx-amz-date:20230604T113541Z\nx-amz-target:AmazonAthena.ListWorkGroups\n\naccept;content-type;host;x-amz-date;x-amz-target\n44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a'\n\nThe String-to-Sign should have been\n'AWS4-HMAC-SHA256\n20230604T113541Z\n20230604/eu-west-1/athena/aws4_request\na5ac7285ef28a4e83ce6bc8e1cc54820c55454e35dee67910b8d9607ca64d35e'\n" :cognitect.anomalies/category :cognitect.anomalies/incorrect}I've tried various other Athena API calls, and they all fail with the same error. I've verified this works with the Cognitect client, using a
deps.ednlike this:{:deps {com.cognitect.aws/api {:mvn/version "0.8.603"} com.cognitect.aws/endpoints {:mvn/version "1.1.12.478"} com.cognitect.aws/athena {:mvn/version "847.2.1387.0"}}}I tried testing awyeah-api on JVM Clojure, but ran into #7 😭
The text was updated successfully, but these errors were encountered: