错误:InvalidAction上DescribeRegions API调用(亚马逊AWS / EC2 API) [英] Error: InvalidAction on DescribeRegions API call (Amazon AWS/EC2 API)
问题描述
我正在写一个应用程序来与亚马逊EC2 API互动,因为我以前从来没有这样做,我决定先从一些简单的像DescribeRegions。
我在做这在C所以有没有好用的库外面的这个,所以我不得不用的libcurl和libcrypto破解它在一起。全面披露,这是我第一次与AWS / EC2 API交互编程所以这可能是一个愚蠢的新手的错误。
我通过计算器读取;这是不一样的<一个href="http://stackoverflow.com/questions/16731282/aws-api-error-the-action-describeregions-is-not-valid-for-this-web-service">question那里的人试图从发送bash的请求,也没有引用字符串。我通过 curl_easy_perform发送请求()
阅读所有我能找到的文档后(并且在这个例子中,让我代替AAAAAAAAA我的AWS访问密钥和BBBBBBB我的密钥。
我构建描述的这里内容如下:
<$p$p><$c$c>Action=DescribeRegions&AWSAccessKeyId=AAAAAAAA&SignatureMethod=HmacSHA256&"SignatureVersion=2&Timestamp=2013-09-22T02:12:27Z&Version=2013-08-15和继续逃避和生成的签名请求
GET \ñ
ec2.amazonaws.com \ñ
/ \ñ
Action%3DDescribeRegions%26AWSAccessKeyId%AAAAAAAAAAAA%26SignatureMethod%3DHmacSHA256%26SignatureVersion%3D2%26Timestamp%3D2013-09-22T02%3A12%3A27Z&Version=2013-08-15
然后我可以开始创建一个签名(我们称之为CCCCCCCC)
和想出了一个请求,上面写着:
https://ec2.amazonaws.com/?Action%3DDescribeRegions%26AWSAccessKeyId%3DAAAAAAAAAAAAA%26SignatureMethod%3DHmacSHA256%26SignatureVersion%3D2%26Timestamp%3D2013-09-22T02%3A12%3A27Z&Version=2013-08-15&Signature=CCCCCCCCCCC
当我把这个一直以来,我碰到下面的错误。
&LT; XML版本=1.0编码=UTF-8&GT?;
<Response><Errors><Error><$c$c>SignatureDoesNotMatch</$c$c><Message>The要求签名,我们计算并不您提供的签名相匹配。请检查您的AWS访问密钥和签名方法。咨询服务文档details.</Message></Error></Errors><RequestID>585f8932-d27b-42b3-b20e-453d8c7ee1ef</RequestID></Response>
我正在使用的签名机制是一个简单的hmac_sha256;我也试过在维基百科的文章并可供参考的hmac_sha256库< A HREF =http://www.ouah.org/ogay/hmac/相对=nofollow>从这里下载。
我已经验证了我的签名算法是正确的,现在我只能假设我正在签约的字符串不正确。
文档(AWS文档)是不幸的是绰绰有余在这方面较少。
例如,它读取:
...添加查询串组件(名称 - 值对,不包括 最初的问号(?)作为它的URL UTF-8字符 EN $ C $根据RFC 3986 CD(十六进制字符必须大写)和 排序使用词典字节顺序。辞书字节序 是区分大小写的。
究竟是什么,他们问我在这里排序?
任何帮助将是最AP preciated。它是否有助于如果我贴完整的源$ C $ C在这里?
究竟是什么,他们问我在这里排序?
在一组键/值对的键都没有定义的排序顺序,但因为只能有一个正确的输出签名算法,可以根据定义只有一个正确的输入...并正确输入即通过附加的键/值对与按键排序构造的串
您打造签署字符串时,在查询字符串键(名称)进行排序。例如,AWSAccessKeyId去之前是SignatureMethod肚里时间戳等之前建立的字符串键排序。
但我认为你有另外一个问题是这样的:
继续逃避和生成的签名请求
...
动作%3DDescribeRegions%26AWSAccessKeyId%AAAAAAAAAAAA ...
等待。你只urlen code(退出)键和值,而不是分离,建立这个字符串的时候。它应该看起来更像是这样的:
行动= DescribeRegions和放大器; AWSAccessKeyId = ...
中的例子说明,唯一的逃避,你看到的是像在戳,其中发现:变成%3A 但 = 的&功放;在查询字符串都没有逃过。你需要构建字符串,而不是前后逃脱键和值。
I'm writing an app to interact with the Amazon EC2 API and since I've never done this before, I decided to start with something easy like DescribeRegions.
I'm doing this in C so there are no easy to use libraries out there for this so I'm having to hack it together with libcurl and libcrypto. Full disclosure, this is the first time I'm interacting with AWS/EC2 API programmatically so this may well be a stupid newbie mistake.
I did read through stackoverflow; this is not the same as the question where the person was trying to send the request from bash and hadn't quoted the string. I'm sending the request through curl_easy_perform()
After reading all the documentation I could find (and for this example, let me replace AAAAAAAAA for my AWS Access Key and BBBBBBB for my secret key.
I construct the parameter part of the signing request as described here which reads:
Action=DescribeRegions&AWSAccessKeyId=AAAAAAAA&SignatureMethod=HmacSHA256&"SignatureVersion=2&Timestamp=2013-09-22T02:12:27Z&Version=2013-08-15
and proceed to escape that and generate a signing request of
GET\n
ec2.amazonaws.com\n
/\n
Action%3DDescribeRegions%26AWSAccessKeyId%AAAAAAAAAAAA%26SignatureMethod%3DHmacSHA256%26SignatureVersion%3D2%26Timestamp%3D2013-09-22T02%3A12%3A27Z&Version=2013-08-15
which I then proceed to construct a signature on (let's call it CCCCCCCC)
and come up with a request that reads:
https://ec2.amazonaws.com/?Action%3DDescribeRegions%26AWSAccessKeyId%3DAAAAAAAAAAAAA%26SignatureMethod%3DHmacSHA256%26SignatureVersion%3D2%26Timestamp%3D2013-09-22T02%3A12%3A27Z&Version=2013-08-15&Signature=CCCCCCCCCCC
When I send this along, I get the following error.
<?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.</Message></Error></Errors><RequestID>585f8932-d27b-42b3-b20e-453d8c7ee1ef</RequestID></Response>
The signing mechanism I'm using is a simple hmac_sha256; I also tried the hmac_sha256 library referenced in the wikipedia article and available for download here.
I've verified that my signing algorithm is correct, now I have to only assume that the string that I'm signing is incorrect.
The documentation (AWS Documentation) is unfortunately less than adequate in this regard.
For example, it reads:
Add the query string components (the name-value pairs, not including the initial question mark (?) as UTF-8 characters which are URL encoded per RFC 3986 (hexadecimal characters must be uppercased) and sorted using lexicographic byte ordering. Lexicographic byte ordering is case sensitive.
What exactly are they asking me to sort here?
Any help would be most appreciated. Would it help if I posted complete source code here?
What exactly are they asking me to sort here?
The keys in a set of key/value pairs have no defined sort order, but since there can only be one correct output of the signing algorithm, there can by definition be only one correct input... and the correct input is a string that is constructed by appending the key/value pairs with the keys sorted.
You sort the keys (names) in the query string when building the string to sign. For example, "AWSAccessKeyId" goes before "SignatureMethod" which goes before "Timestamp," etc. You build the string with the keys sorted.
But I think the other issue you have is this:
proceed to escape that and generate a signing request of
...
Action%3DDescribeRegions%26AWSAccessKeyId%AAAAAAAAAAAA ...
Wait. You only urlencode (escape) the keys and the values, not the separators, when building this string. It should look more like this:
Action=DescribeRegions&AWSAccessKeyId= ...
Notice in the examples, the only escaping you see are like those found in the timestamp, where : becomes %3A but the = an & in the query string are not escaped. You'll need to escape the keys and values before building the string, not after.
这篇关于错误:InvalidAction上DescribeRegions API调用(亚马逊AWS / EC2 API)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
