1

I'm following the example guide to send email using python and am getting an error that says "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method." Problem is I'm not self-signing anything. Boto should be handling all that on the back end.

Looking through comments on a similar issue raised regarding S3 buckets, lots of people were having trouble with special characters in their keys. One person said the problem was a + in the key. I tried creating new credentials because mine did have a +. The new credentials have a / in them and instead I got the error "The security token included in the request is invalid." Some people were also saying they get the error in the title when they are using forward slashes, not the token invalid error.

I've also managed to get AWS to generate an alpha-numeric secret key and still get the title error. It seems like running with any key with a / generates the invalid token error, whereas any other key will generate the title error. Is there some configuration in boto3 that needs to be addressed to fix this?

Extra Info. The full output when I try to send an email is this:

The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details. This is being created under the hood by boto3. Is there any way to see what boto3 is sending for myself?

The Canonical String for this request should have been
'POST
/

content-type:application/x-www-form-urlencoded; charset=utf-8
host:email.us-east-1.amazonaws.com
x-amz-date:20210602T203507Z

content-type;host;x-amz-date
f7db71769583b2ac6313966e2c40eef110add591a5008c5b3ba727d66fb1fffe'

The String-to-Sign should have been
'AWS4-HMAC-SHA256
20210602T203507Z
20210602/us-east-1/ses/aws4_request
c7d4af550cec63d9b23b3fcca2d4cad3a9587fc565f211626ae908b7bcb6b737'
jaredad7
  • 998
  • 2
  • 11
  • 33

2 Answers2

0

As process you have to calculate signature at your side and pass same signature to AWS. Then AWS generated again signature at their side using input values and try to match with which you provided.

As I remember this generally not match because of your input data or email content inclusion of some junks character like no ascii character ( this generally come when you copy content from docs to HTML or form values ). Try to remove junk characters.

Use this Python script to remove non ascii character once your received as input or content of email.

https://gist.github.com/aviboy2006/ca1e50f1cb1a32f7544f2f0af1fb928d

Avinash Dalvi
  • 8,551
  • 7
  • 27
  • 53
  • Hi, thanks for your response. Is there any way that I can get my script to print the request that boto3 is creating so that I can see if there are non-ascii characters involved? Boto3 is creating the request on the back end. I've added the response to the original question. As you can see, there is metadata being created that I am not touching. My code looks exactly like the example code in the AWS walkthrough. – jaredad7 Jun 02 '21 at 20:40
  • 1
    I finally found a way to log what boto is doing, and the strings are the same in the terminal, so I think you must be correct about junk characters seeping in there somewhere. – jaredad7 Jun 02 '21 at 21:03
0

Make sure that the URL in the canonical string is the same as your HTTP request URL.

I got this message while attempting to fire API Gateway requests. The URLs didn't match, my request URL was something like:

                                                          vv
https://api-gw-id.execute-api.eu-west-1.amazonaws.com/test//users/user-id/customers

While the canonical string contained the URL:

                                                          v
https://api-gw-id.execute-api.eu-west-1.amazonaws.com/test/users/user-id/customers

Related libraries: boto3, aws-requests-auth

maxpaj
  • 6,029
  • 5
  • 35
  • 56