-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pre-signed URL using Aws\Signature\SignatureV4 and temp Cognito credentials fails with 403 #2247
Comments
@ajredniwja looking in the code for the SignatureV4 class in the latest released version, it appears that the problem is still there. I ended up re-implementing the class in my code to fix this issue. |
Hi @CoDanny, Apologies for the delayed response here. In order to determine whether or not this is a bug, I'd need to see how you're generating the presigned url. Presigned urls are only officially supported by a few services, so in this case it might be better than you've reimplemented the class— it's possible you're trying to do something that the SDK doesn't officially support. |
Here's my code snippet: $credentials = new Credentials($idCredentials->accessKey, $idCredentials->secretKey, $idCredentials->sessionToken, $idCredentials->expiration);
$request = new Request("GET", "wss://". $iotConfig->iotEndpoint ."/mqtt");
$signer = new SignatureV4ForIotCore('iotdevicegateway', $this->config->aws->region);
$signed = $signer->presign($request, $credentials, "+5 seconds"); I then return the signed url 'connection_url' => (string) $signed->getUri()
|
Confirm by changing [ ] to [x] below to ensure that it's a bug:
Describe the bug
When using the class
Aws\Signature\SignatureV4
to pre-sign an IoT Core websocket connection or GET shadow request, the request fails with 403 (The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.).This only happens when using Cognito Identity temporary credentials. Permanent IAM credentials work.
This is due to the following lines
aws-sdk-php/src/Signature/SignatureV4.php
Lines 265 to 267 in d7ad80a
Version of AWS SDK for PHP?
Example: v3.178.11
Aws\Sdk::VERSION
in your codecomposer show -i
Version of PHP (
php -v
)?php 5.6
To Reproduce (observed behavior)
Obtain STS Credentials from a Cognito Identity and use them to generate a websocket connection URL for IoT Core. I have also tried by making a https GET shadow request. Then use that url in javascript with mqtt.js to connect to IoT Core.
Expected behavior
The connection succeeds
The text was updated successfully, but these errors were encountered: