I've implemented a very basic CustomResource where I'm receiving the notification through SNS to an HTTPS subscriber without any problems. If I take the ResponseURL sent with the CustomResource notification and try to respond with a SUCCESS response, I continually get a 403-FORBIDDEN response from AWS using the pre-signed URL with a SignatureDoesNotMatch error code.
Through all my research and reviewing the aws-cfn-resource-bridge, there are two things that stand out.
- The response is a PUT, good... easy enough.
- The Content-Type HTTP header is set to a blank/empty string, alright... no problem there either although it doesn't make much sense.
Here is my request
PUT http://ift.tt/1ILUsf9
Content-Type:
Content-Length: 305
{"Status":"SUCCESS","PhysicalResourceId":"scott-test- CloudFlareDNSRegistration-1KQIGCB3BP1AW","StackId":"arn:aws:cloudformation:us-east-1:741849072915:stack/scott-test/7181a360-50cc-11e5-8aae-5001b491380a","RequestId":"047ca252-bf0e-4fa7-a7ac-be97fc897095","LogicalResourceId":"CloudFlareDNSRegistration"}
The response I get:
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><AWSAccessKeyId>REMOVED</AWSAccessKeyId><StringToSign>PUT
1441240852
/cloudformation-custom-resource-response-useast1/arn%253Aaws%253Acloudformation%253Aus-east-1%253A741849072915%253Astack/scott-test/7181a360-50cc-11e5-8aae-5001b491380a%257CCloudFlareDNSRegistration%257C047ca252-bf0e-4fa7-a7ac-be97fc897095</StringToSign> <SignatureProvided>yzmop7aF5TxOFjAG%2F7TvTpoZDS0%3D</SignatureProvided> <StringToSignBytes>50 55 54 0a 0a 0a 31 34 34 31 32 34 30 38 35 32 0a 2f 63 6c 6f 75 64 66 6f 72 6d 61 74 69 6f 6e 2d 63 75 73 74 6f 6d 2d 72 65 73 6f 75 72 63 65 2d 72 65 73 70 6f 6e 73 65 2d 75 73 65 61 73 74 31 2f 61 72 6e 25 32 35 33 41 61 77 73 25 32 35 33 41 63 6c 6f 75 64 66 6f 72 6d 61 74 69 6f 6e 25 32 35 33 41 75 73 2d 65 61 73 74 2d 31 25 32 35 33 41 37 34 31 38 34 39 30 37 32 39 31 35 25 32 35 33 41 73 74 61 63 6b 2f 73 63 6f 74 74 2d 74 65 73 74 2f 37 31 38 31 61 33 36 30 2d 35 30 63 63 2d 31 31 65 35 2d 38 61 61 65 2d 35 30 30 31 62 34 39 31 33 38 30 61 25 32 35 37 43 43 6c 6f 75 64 46 6c 61 72 65 44 4e 53 52 65 67 69 73 74 72 61 74 69 6f 6e 25 32 35 37 43 30 34 37 63 61 32 35 32 2d 62 66 30 65 2d 34 66 61 37 2d 61 37 61 63 2d 62 65 39 37 66 63 38 39 37 30 39 35</StringToSignBytes><RequestId>EBFDA09E56D8313F</RequestId><HostId>MP66HkmQeXXH05wE2AQR4pWc99JFyCXJMfMSQk4xxbxSRj5qQJB7vAm7/dJH+rH4</HostId></Error>
I've found various questions where it was suggested the path needed to be decoded (i.e. altering the %3A to :) before making the request, I tried that with no luck. I'm using the URL provided as is in the ResponseURL field, doesn't seem like I should be altering it.
Any thoughts?
Aucun commentaire:
Enregistrer un commentaire