Hi, I am trying to connect to S3 with my ESP32 and I am using the arduino SDK. I followed these two AWS documentations on how to properly make a HTTP Get request: Create a signed AWS API request and Signature Calculations for the Authorization Header.
I verified my SHA256 caluclations with this online tool and my HMAC-SHA256 calcs with this tool
This is the error message I get (I removed the StringToSignBytes and CanonicalRequestBytes):
<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><AWSAccessKeyId>AKIAZOKIXEXAMPLE</AWSAccessKeyId>
<StringToSign>
AWS4-HMAC-SHA256
20230310T134304Z
20230310/eu-central-1/s3/aws4_request
5263692f39c1379ed930dfd5c7ed75b40ba0619c7dc316bb7630152162a5d5ef
</StringToSign><SignatureProvided>
2b974103174d38e1946911813cd76aff7271f4ace1b75947b09c67487d2c39da
</SignatureProvided><StringToSignBytes></StringToSignBytes>
<CanonicalRequest>
GET
/firmware.bin
content-type:application/octet-stream
host:esp-data-exchange.s3.amazonaws.com
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date:20230310T134304Z
content-type;host;x-amz-content-sha256;x-amz-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
According to this AWS site I have a
Canonicalization errors
If you incorrectly calculated the canonical request or the string to sign, the signature verification step performed by the service fails with the following error message:
The request signature we calculated does not match the signature you providedThe error response includes the canonical request and the string to sign that the service calculated. You can compare these strings with the strings that you calculated.
You can also verify that you didn’t send the request through a proxy that modifies the headers or the request.
Checking the content of the error message, especially the Canonical request and String to Sign of my request are identical (or did I miss something?), see them below.
Canonical request:
GET
/firmware.bin
content-type:application/octet-stream
host:esp-data-exchange.s3.amazonaws.com
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date:20230310T134304Z
content-type;host;x-amz-content-sha256;x-amz-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
My string to sign:
AWS4-HMAC-SHA256
20230310T134304Z
20230310/eu-central-1/s3/aws4_request
5263692f39c1379ed930dfd5c7ed75b40ba0619c7dc316bb7630152162a5d5ef
Besides, the final signature, also present in the response, is also identical with my hash caluclations, both are: 2b974103174d38e1946911813cd76aff7271f4ace1b75947b09c67487d2c39da
Has anyone an idea what could be wrong? Do I misinterpret the error code from AWS and it could be something else? Any help is appreciated.