Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support for authentification using temporary session tokens #99

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

support for authentification using temporary session tokens #99

wants to merge 2 commits into from

Conversation

jrochel
Copy link

@jrochel jrochel commented Mar 4, 2021

Note that depending on which service one uses, the token needs to be
added either before or after signing.

https://docs.aws.amazon.com/general/latest/gr/sigv4-add-signature-to-request.html

« When you add the X-Amz-Security-Token parameter to the query string, some services require that you include this parameter in the canonical (signed) request. For other services, you add this parameter at the end, after you calculate the signature. For details, see the API reference documentation for that service. »

@jrochel jrochel mentioned this pull request Mar 4, 2021
Open
@vouillon
Copy link

vouillon commented Mar 4, 2021

Note that depending on which service one uses, the token needs to be
added either before or after signing.

https://docs.aws.amazon.com/general/latest/gr/sigv4-add-signature-to-request.html

« When you add the X-Amz-Security-Token parameter to the query string, some services require that you include this parameter in the canonical (signed) request. For other services, you add this parameter at the end, after you calculate the signature. For details, see the API reference documentation for that service. »

Since the parameter is added to the headers, not the query string, I think it should always be added before signing.

@jrochel
Copy link
Author

jrochel commented Mar 4, 2021
edited
Loading

Maybe there is a mistake in by session_token_signed implementation, but if I use it instead of session_token_unsigned I'm getting a InvalidClientTokenId with cloudformation. And your statement would contradict

Note that depending on which service one uses, the token needs to be
added either before or after signing.

Or am I simply misunderstanding this statement?

@vouillon
Copy link

vouillon commented Mar 4, 2021

Indeed, you forgot to add the X-Amz-Security-Token header.

It seems you only need to add the token after signing when generating a pre-signed URL for an AWS IoT websocket. See aws/aws-sdk-go#2485 (comment).

@jrochel jrochel force-pushed the tokens branch 2 times, most recently from bee5ae1 to 69a47ff Compare March 23, 2021 23:59
@vouillon
Copy link

How does it compare to #95?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jrochel @vouillon