错误:DescribeRegions API 调用上的 InvalidAction(亚马逊 AWS/EC2 API) [英] Error: InvalidAction on DescribeRegions API call (Amazon AWS/EC2 API)
问题描述
我正在编写一个应用程序来与 Amazon EC2 API 交互,因为我以前从未这样做过,所以我决定从 DescribeRegions 之类的简单内容开始.
I'm writing an app to interact with the Amazon EC2 API and since I've never done this before, I decided to start with something easy like DescribeRegions.
我在 C 中做这件事,所以没有容易使用的库,所以我不得不将它与 libcurl 和 libcrypto 一起破解.完全公开,这是我第一次以编程方式与 AWS/EC2 API 交互,所以这很可能是一个愚蠢的新手错误.
I'm doing this in C so there are no easy to use libraries out there for this so I'm having to hack it together with libcurl and libcrypto. Full disclosure, this is the first time I'm interacting with AWS/EC2 API programmatically so this may well be a stupid newbie mistake.
我确实通读了stackoverflow;这与 question 那里的人试图从 bash 发送请求并且没有引用字符串.我通过 curl_easy_perform()
I did read through stackoverflow; this is not the same as the question where the person was trying to send the request from bash and hadn't quoted the string. I'm sending the request through curl_easy_perform()
在阅读我能找到的所有文档后(对于本示例,让我将 AAAAAAAAA 替换为我的 AWS 访问密钥,将 BBBBBBB 替换为我的秘密密钥.
After reading all the documentation I could find (and for this example, let me replace AAAAAAAAA for my AWS Access Key and BBBBBBB for my secret key.
我按照此处 内容如下:
Action=DescribeRegions&AWSAccessKeyId=AAAAAAAA&SignatureMethod=HmacSHA256&"SignatureVersion=2&Timestamp=2013-09-22T02:12:27Z&Version=2013-08-15
并继续转义并生成
GET\n
ec2.amazonaws.com\n
/\n
Action%3DDescribeRegions%26AWSAccessKeyId%AAAAAAAAAAAA%26SignatureMethod%3DHmacSHA256%26SignatureVersion%3D2%26Timestamp%3D2013-09-22T02%3A12%3A27Z&Version=2013-08-15
然后我继续在其上构建签名(我们称之为 CCCCCCCC)
which I then proceed to construct a signature on (let's call it CCCCCCCC)
并提出如下请求:
https://ec2.amazonaws.com/?Action%3DDescribeRegions%26AWSAccessKeyId%3DAAAAAAAAAAAAA%26SignatureMethod%3DHmacSHA256%26SignatureVersion%3D2%26Timestamp%3D2013-09-22T02%3A12%3A27Z&Version=2013-08-15&Signature=CCCCCCCCCCC
当我发送此文件时,出现以下错误.
When I send this along, I get the following error.
<?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.</Message></Error></Errors><RequestID>585f8932-d27b-42b3-b20e-453d8c7ee1ef</RequestID></Response>
我使用的签名机制是一个简单的 hmac_sha256;我还尝试了 维基百科文章中引用的 hmac_sha256 库,可用于 在此处下载.
The signing mechanism I'm using is a simple hmac_sha256; I also tried the hmac_sha256 library referenced in the wikipedia article and available for download here.
我已经验证我的签名算法是正确的,现在我只需要假设我签名的字符串是不正确的.
I've verified that my signing algorithm is correct, now I have to only assume that the string that I'm signing is incorrect.
不幸的是,文档(AWS 文档)在这方面不够充分.
The documentation (AWS Documentation) is unfortunately less than adequate in this regard.
例如,它读取:
添加查询字符串组件(名称-值对,不包括最初的问号 (?) 为 UTF-8 字符,即 URL根据 RFC 3986 编码(十六进制字符必须大写)和使用字典字节顺序排序.字典字节序区分大小写.
Add the query string components (the name-value pairs, not including the initial question mark (?) as UTF-8 characters which are URL encoded per RFC 3986 (hexadecimal characters must be uppercased) and sorted using lexicographic byte ordering. Lexicographic byte ordering is case sensitive.
他们到底要我在这里排序什么?
What exactly are they asking me to sort here?
任何帮助将不胜感激.如果我在这里发布完整的源代码会有帮助吗?
Any help would be most appreciated. Would it help if I posted complete source code here?
推荐答案
他们到底要我在这里排序什么?
What exactly are they asking me to sort here?
一组键/值对中的键没有定义的排序顺序,但由于签名算法只能有一个正确的输出,所以根据定义,只能有一个正确的输入......而正确的输入是通过附加键/值对和排序的键来构造的字符串.
The keys in a set of key/value pairs have no defined sort order, but since there can only be one correct output of the signing algorithm, there can by definition be only one correct input... and the correct input is a string that is constructed by appending the key/value pairs with the keys sorted.
在构建要签名的字符串时,您对查询字符串中的键(名称)进行排序.例如,AWSAccessKeyId"在SignatureMethod"之前,在Timestamp"之前,等等.您使用排序的键构建字符串.
You sort the keys (names) in the query string when building the string to sign. For example, "AWSAccessKeyId" goes before "SignatureMethod" which goes before "Timestamp," etc. You build the string with the keys sorted.
但我认为您遇到的另一个问题是:
But I think the other issue you have is this:
继续转义并生成
...
Action%3DDescribeRegions%26AWSAccessKeyId%AAAAAAAAAAAA ...
等等.在构建此字符串时,您只对键和值进行 urlencode(转义),而不是分隔符.它应该看起来更像这样:
Wait. You only urlencode (escape) the keys and the values, not the separators, when building this string. It should look more like this:
Action=DescribeRegions&AWSAccessKeyId= ...
注意在示例中,您看到的唯一转义类似于时间戳中的转义,其中 : 变为 %3A 但 =查询字符串中的 & 不会被转义.您需要在构建字符串之前而不是之后转义键和值.
Notice in the examples, the only escaping you see are like those found in the timestamp, where : becomes %3A but the = an & in the query string are not escaped. You'll need to escape the keys and values before building the string, not after.
这篇关于错误:DescribeRegions API 调用上的 InvalidAction(亚马逊 AWS/EC2 API)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
