API Gateway: AWS 4 Signer error "The request signature we calculated does not match the signature you provided".

search cancel

API Gateway: AWS 4 Signer error "The request signature we calculated does not match the signature you provided".

book

Article ID: 186297

calendar_today

Updated On:

Products

CA API Gateway CA Microgateway

Issue/Introduction

This article will discuss the topic of the AWS 4 Signer assertion and an error that can be observed from time to time.

There exists a "tactical" assertion called AWS 4 Signer, and on occasion when setting this up with a new backend (i.e. AWS Gateway, or AWS

{"message":"The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.\n\nThe Canonical String for this request should have been\n'GET\n/namespaces/<path>\n\nhost:<hostname>\nx-amz-date:20191225T035426Z\nx-amz-security-token:<token>\n\nhost;x-amz-date;x-amz-security-token\<securityToken>'\n\nThe String-to-Sign should have been\n'AWS4-HMAC-SHA256\n20191225T035426Z\n20191225/<region>/execute-api/aws4_request\<requestID>'\n"}

Environment

This article applies to all supported versions of the API Gateway using the AWS 4 Signer tactical assertion.

Resolution

There is often nothing to be done on the assertion / in the API Gateway, as it is most often working as designed. There is a need to pay attention to the exact message being returned by AWS systems, and making sure the values used are in the format expected by AWS.

Much of whether it will work or not will depend on the particular AWS backend being routed to and if it requires specifics outside of what the assertion-alone provides. For example, if routing to an AWS API Gateway backend, it typically requires its own additional headers and data in the request which likely were not received if you are seeing the error noted in this article. Ensure that the requests are formatted correctly to match what the backend is expecting.

Amazon Support may need to be contacted, if available, for more details on the error they are responding with.

Additional Information

Tactical assertions are not officially supported, they are provided as-is.
Amazon Signature Version 4 signing process: https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html
Signing AWS requests with Signature Version 4: https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html

Feedback

thumb_up Yes

thumb_down No