使用GetSecretValue AWS Secrets Manager API的InvalidSignatureException

问题描述 投票:0回答:1

当尝试使用AWS Secrets Manager REST API GetSecretValue检索机密值时,我收到带有以下错误消息的无效请求

我按照此处给出的步骤(https://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html#sig-v4-examples-post)使用sigv4签署了请求。

我的代码如下:

    def sign(self, key, msg):
        return hmac.new(key, msg.encode('utf-8'), hashlib.sha256).digest()

    def get_signature_key(self, key, dateStamp, regionName, serviceName):
        kDate = self.sign(('AWS4' + key).encode('utf-8'), dateStamp)
        kRegion = self.sign(kDate, regionName)
        kService = self.sign(kRegion, serviceName)
        kSigning = self.sign(kService, 'aws4_request')
        return kSigning

    def get_request_url(self, region, access_key, secret_key, token, secret_name):
        method = 'POST'
        service = 'secretsmanager'
        host = 'secretsmanager.' + region + '.amazonaws.com'
        endpoint = 'https://secretsmanager.' + region + '.amazonaws.com'
        content_type = 'application/x-amz-json-1.0'
        amz_target = 'secretsmanager.GetSecretValue'
        request_parameters = '{'
        request_parameters += '"SecretId":"%s"' %(secret_name)
        request_parameters += '}'

        t = datetime.datetime.utcnow()
        amz_date = t.strftime('%Y%m%dT%H%M%SZ')
        date_stamp = t.strftime('%Y%m%d')

        canonical_uri = '/'
        canonical_querystring = ''
        canonical_headers = 'content-type:' + content_type + '\n' + 'host:' + host + '\n' + 'x-amz-date:' + amz_date + '\n' + 'x-amz-target:' + amz_target + '\n' + 'x-amz-security-token:' + token + '\n'

        signed_headers = 'content-type;host;x-amz-date;x-amz-target;x-amz-security-token'
        payload_hash = hashlib.sha256(request_parameters.encode('utf-8')).hexdigest().strip()

        canonical_request = method + '\n' + canonical_uri + '\n' + canonical_querystring + '\n' + canonical_headers + '\n' + signed_headers + '\n' + payload_hash

        algorithm = 'AWS4-HMAC-SHA256'
        credential_scope = date_stamp + '/' + region + '/' + service + '/' + 'aws4_request'
        string_to_sign = algorithm + '\n' +  amz_date + '\n' +  credential_scope + '\n' +  hashlib.sha256(canonical_request.encode('utf-8')).hexdigest()

        signing_key = self.get_signature_key(secret_key, date_stamp, region, service)
        signature = hmac.new(signing_key, (string_to_sign).encode('utf-8'), hashlib.sha256).hexdigest()

        authorization_header = algorithm + ' ' + 'Credential=' + access_key + '/' + credential_scope + ', ' +  'SignedHeaders=' + signed_headers + ', ' + 'Signature=' + signature


        headers = { 'Content-Type':content_type, 'Host':host, 'X-Amz-Date':amz_date, 'X-Amz-Target':amz_target, 'X-Amz-Content-Sha256':payload_hash, 'X-Amz-Security-Token':token.encode('ascii'), 'Authorization':authorization_header.encode('ascii')}


        # ************* SEND THE REQUEST *************
        print('\nBEGIN REQUEST++++++++++++++++++++++++++++++++++++')
        print('Request URL = ' + endpoint)

        r = requests.post(endpoint, headers=headers, data=request_parameters)

        print('\nRESPONSE++++++++++++++++++++++++++++++++++++')
        print('Response code: %d\n' % r.status_code)
        print(r.text)
python amazon-web-services api rest aws-secrets-manager
1个回答
0
投票
订单事项
© www.soinside.com 2019 - 2024. All rights reserved.