Pre-signed URL using Aws\Signature\SignatureV4 and temp Cognito credentials fails with 403

[CoDanny]

Confirm by changing [ ] to [x] below to ensure that it's a bug:

• [ x] I've gone though Developer Guide and API reference
• [ x] I've checked AWS Forums and StackOverflow for answers
• [x ] I've searched for previous similar issues and didn't find any solution

Describe the bug
When using the class Aws\Signature\SignatureV4 to pre-sign an IoT Core websocket connection or GET shadow request, the request fails with 403 (The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.).

This only happens when using Cognito Identity temporary credentials. Permanent IAM credentials work.

This is due to the following lines

aws-sdk-php/src/Signature/SignatureV4.php

Lines 265 to 267 in d7ad80a

	if ($token = $credentials->getSecurityToken()) {
	$parsedRequest['headers']['X-Amz-Security-Token'] = [$token];
	}

which are trying to add the security token header to the pre-signed request. The server seems to want this header added at the end of the pre-sign process. It shouldn't be part of the signature.

Version of AWS SDK for PHP?
Example: v3.178.11

• get SDK version by printing the output of Aws\Sdk::VERSION in your code
• if the SDK was installed via composer you can see the version installed with composer show -i

Version of PHP (php -v)?
php 5.6

To Reproduce (observed behavior)
Obtain STS Credentials from a Cognito Identity and use them to generate a websocket connection URL for IoT Core. I have also tried by making a https GET shadow request. Then use that url in javascript with mqtt.js to connect to IoT Core.

Expected behavior
The connection succeeds

[ajredniwja]

Hi @CoDanny, sorry for delayed response, is this still a persisting issue? I can see here that the security-token header is marked optional so Im not sure if thats what is causing this. I'll discuss it with the team for some more insight.

[CoDanny]

@ajredniwja looking in the code for the SignatureV4 class in the latest released version, it appears that the problem is still there. I ended up re-implementing the class in my code to fix this issue.

[stobrien89]

Hi @CoDanny,

Apologies for the delayed response here. In order to determine whether or not this is a bug, I'd need to see how you're generating the presigned url.

Presigned urls are only officially supported by a few services, so in this case it might be better than you've reimplemented the class— it's possible you're trying to do something that the SDK doesn't officially support.

[CoDanny]

Here's my code snippet:

$credentials = new Credentials($idCredentials->accessKey, $idCredentials->secretKey, $idCredentials->sessionToken, $idCredentials->expiration);
$request = new Request("GET", "wss://". $iotConfig->iotEndpoint ."/mqtt");
$signer = new SignatureV4ForIotCore('iotdevicegateway', $this->config->aws->region);
$signed = $signer->presign($request, $credentials, "+5 seconds");

I then return the signed url

'connection_url' => (string) $signed->getUri()

SignatureV4ForIotCore is a class that extends from SignatureV4 with my fixes.