签名过期:现在早于错误:InvalidSignatureException [英] Signature expired: is now earlier than error : InvalidSignatureException

查看:21
本文介绍了签名过期:现在早于错误:InvalidSignatureException的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在尝试使用 AWS API Gateway 和 IAM 授权的小示例.AWS API 网关生成了以下端点:

I am trying a small example with AWS API Gateway and IAM authorization. The AWS API Gateway generated the below Endpoint :

https://xyz1234.execute-api.us-east-2.amazonaws.com/Users/users

带有 POST 操作且无参数.

with POST action and no parameters.

最初我关闭了这个 POST 方法的 IAM,我使用 Postman 验证了结果,它可以工作.然后我创建了一个新的 IAM 用户并将 AmazonAPIGatewayInvokeFullAccess 策略附加到用户,从而授予调用任何 API 的权限.为 POST 方法启用 IAM.

Initially I had turned off the IAM for this POST Method and I verified results using Postman it works. Then I created a new IAM User and attached AmazonAPIGatewayInvokeFullAccess Policy to the user thereby giving permission to invoke any API's. Enabled the IAM for the POST Method.

然后我去邮递员 - 并添加了授权访问密钥、密钥、AWS 区域为 us-east-2 和服务名称为 execute-api 并尝试执行请求,但我收到 InvalidSignatureException 错误,返回码为 403.

I then went to Postman - and added Authorization with AccessKey, Secret Key, AWS Region as us-east-2 and Service Name as execute-api and tried to execute the Request but I got InvalidSignatureException Error with 403 as return code.

正文包含以下消息:

Signature expired: 20170517T062414Z is now earlier than 20170517T062840Z (20170517T063340Z - 5 min.)" 

我错过了什么?

推荐答案

使用 AWS sigV4 签名的请求包含创建签名时的时间戳.签名仅在创建后的短时间内有效.(这限制了可以尝试重放攻击的时间.)

A request signed with AWS sigV4 includes a timestamp for when the signature was created. Signatures are only valid for a short amount of time after they are created. (This limits the amount of time that a replay attack can be attempted.)

验证签名后,会将时间戳与当前时间进行比较.如果这表明签名不是最近创建的,则签名验证失败并显示您提到的错误消息.

When the signature is validated the timestamp is compared to the current time. If this indicates that the signature was not created recently, then signature validation fails with the error message you mentioned.

造成这种情况的一个常见原因是生成签名的主机上的本地时钟关闭超过几分钟.

A common cause of this is when the local clock on the host generating the signature is off by more than a couple of minutes.

这篇关于签名过期:现在早于错误:InvalidSignatureException的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆