Why am I getting the wrong signature for the Amazon Product Advertising API?

Question

I'm following the directions on the API documentation precisely, and after some frustration I finally put together something directly from their examples on http://docs.amazonwebservices.com/AWSECommerceService/2011-08-01/DG/rest-signature.html

I've tried this python script on a few machines and have gotten the same result on all of them.

import hmac
from base64 import b64encode
from hashlib import sha256

secret_key = '1234567890'

to_sign = """GET
webservices.amazon.com
/onca/xml
AWSAccessKeyId=AKIAI44QH8DHBEXAMPLE&ItemId=0679722769&Operation=ItemLookup&ResponseGroup=ItemAttributes%2COffers%2CImages%2CReviews&Service=AWSECommerceService&Timestamp=2009-01-01T12%3A00%3A00Z&Version=2009-01-06"""

print b64encode(hmac.new(secret_key, to_sign, sha256).digest())

The instructions say that the signature using this request, and this key, is Nace+U3Az4OhN7tISqgs1vdLBHBEijWcBeCqL5xN9xg= but I get O6UTkH+m4zAQUvB+WXUZJeA8bZcKAdkc4crKgHtbc6s=

(Before anyone says anything: The example page displays the requests wrapped at 65 characters; I've already tried it. This doesn't provide a solution, and is not stated in the instructions for signature creation.)

EDIT: I found the answer, see below.

FYI to others: amazon's JS implementation works as of sep 2013 and is useful for troubleshooting. http://associates-amazon.s3.amazonaws.com/signed-requests/helper/index.html — amwinter, Sep 20 '13 at 14:02

score 2 · Accepted Answer · edited May 23 '17 at 11:50

Well, look at that... The docs were wrong.

I stumbled on an old (nearly) duplicate of this question: Calculating a SHA hash with a string + secret key in python

It looks like the AWSAccessKeyId value changed from 00000000000000000000 to AKIAI44QH8DHBEXAMPLE in the example requests page.

Updating this in the script prints the expected key, Nace+U3Az4OhN7tISqgs1vdLBHBEijWcBeCqL5xN9xg=

import hmac
from base64 import b64encode
from hashlib import sha256

secret_key = '1234567890'

to_sign = """GET
webservices.amazon.com
/onca/xml
AWSAccessKeyId=00000000000000000000&ItemId=0679722769&Operation=ItemLookup&ResponseGroup=ItemAttributes%2COffers%2CImages%2CReviews&Service=AWSECommerceService&Timestamp=2009-01-01T12%3A00%3A00Z&Version=2009-01-06"""

print b64encode(hmac.new(secret_key, to_sign, sha256).digest())

score 1 · Answer 2 · answered Feb 25 '12 at 06:46

1

You might check out the Bottlenose library, https://github.com/dlo/bottlenose, I have found that it makes dealing with AWS Product API much more friendly.

answered Feb 25 '12 at 06:46

Tim

285
3
9

Man, I was looking everywhere today for a wrapper for the API - I ended up just writing my own, and the only problem I was having was with the signature. Until I found the mysterious inconsistent change on the example page I thought that my signature creation was incorrect. Turns out that my real problem was that I forgot the "Z" on the end of the timestamp. – Devin Feb 25 '12 at 06:59

Why am I getting the wrong signature for the Amazon Product Advertising API?

2 Answers2