How to Create a URL Request for Amazon SQS
I am about to write a program that can send and read messages from SQS using authentication and I read the doc here Link: Request Request Authentication
I have successfully written a process that sends a message to a specified queue following the doc. But I always get 403 error when I try to get a message from the queue. And I found that the signature line rules are different for POST and GET methods.
signature line:
GET\n
sqs.us-east-1.amazonaws.com\n
/<My Account Id>/<Queue Name>\n
AWSAccessKeyId=<My Access Key>
&Action=ReceiveMessage
&MaxNumberOfMessages=10
&VisibilityTimeout=600
&AttributeName=All
&Expires=2012-04-01T11%3A29%3A24Z
&SignatureMethod=HmacSHA1
&SignatureVersion=2
&Version=2011-10-01
and url
https://sqs.us-east-1.amazonaws.com/<My Account Id>/<Queue Name>?
Action=ReceiveMessage
&MaxNumberOfMessages=10
&VisibilityTimeout=600&AttributeName=All
&Version=2011-10-01
&Expires=2012-04-01T11%3A29%3A24Z
&Signature=<BASE64 encoded HmacSHA1 digist with signature string and my security key>
&SignatureVersion=2
&SignatureMethod=HmacSHA1
&AWSAccessKeyId=<My Access Key>
And I always get 403 forbidden error:
<ErrorResponse xmlns="http://queue.amazonaws.com/doc/2011-10-01/">
<Error>
<Type>Sender</Type>
<Code>SignatureDoesNotMatch</Code>
<Message>
The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
</Message>
<Detail/>
</Error>
<RequestId>16f6e910-62e6-4259-8c09-0358b84cbe60</RequestId>
</ErrorResponse>
Can anyone tell me how I can handle it? Many thanks
source to share
The error message tells you that the signature is calculated incorrectly. This is very difficult to debug. I spent several hours on this the first time I tried it. There's an example signed SQS request at http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/MakingRequests_MakingQueryRequestsArticle.html . You have to put these parameters in your program, compute the signature and try to find errors in your program, will create the same signature.
Specific problems I had and fixes for them:
- Correct sorting of query parameters. They must be in ascending order when creating the signature line. Your example url doesn't appear ok. Did you sort them differently when creating the signature line?
- URI encoding is correct. Each parameter must be encoded in string encoding. Your sample url has a URI encoding, so this is probably not your problem. But make sure you are not double-coding.
- Base64 signature filling. At least some AWS services insist that the signature be a multiple of four characters. Two thirds of the time the base64 encoding is too short and one or two equal characters need to be added. Most base64 encoding libraries do this for you, but not everyone.
Of course, the easiest way is to use someone else's library to make queries, but what good is it? Good luck debugging this.
source to share
Most likely the order of the parameters: when assembling the version 2 signature line in the last step, the Amazon documentation states:
Add the query string components (name-value pairs, not including the leading question mark (?) As UTF-8 characters, which are URL encoded in RFC 3986 (hexadecimal characters must be uppercase) and sorted using lexicographic byte order. Lexicographic byte order is case sensitive.
I spent two days debugging this same "SignatureDoesNotMatch" issue checking my HMAC, BASE64 and url encoding routines and it was just a parameter ordering issue.
The documentation should emphasize this issue even more; if you are using unordered parameter strings (like the same one in the request url as in the documentation examples) you will get this unintuitive error from the server.
source to share