connection header needs to be excluded in sigv4a/sigv4 #2594

shulin-sq · 2024-04-02T23:54:07Z

shulin-sq
Apr 2, 2024

Acknowledgements

I have searched (https://github.com/aws/aws-sdk/issues?q=is%3Aissue) for past instances of this issue
I have verified all of my SDK modules are up-to-date (you can perform a bulk update with go get -u github.com/aws/aws-sdk-go-v2/...)

Describe the bug

while using the sigv4a library (based on 9805a19) we were getting "IncompleteSignatureException: 'connection' is named as a SignedHeader, but it does not exist in the HTTP request." despite connection header being part of the http request.

Expected Behavior

for the signature to be accepted. I'm also curious why excluding the connection header as part of the signature seems to work?

Current Behavior

"IncompleteSignatureException: 'connection' is named as a SignedHeader, but it does not exist in the HTTP request."

Reproduction Steps

2024/04/02 23:05:22 [post-signing] Translated URL: REDACTED
2024/04/02 23:05:22 [post-signing] Translated Header: map[Accept:[*/*] Authorization:[AWS4-ECDSA-P256-SHA256 Credential=REDACTED/20240402/vpc-lattice-svcs/aws4_request, SignedHeaders=accept;connection;host;x-amz-content-sha256;x-amz-date;x-amz-region-set;x-amz-security-token;REDACTED, Signature=REDACTED] Connection:[Keep-Alive] User-Agent:[curl/7.29.0] X-Amz-Content-Sha256:[UNSIGNED-PAYLOAD] X-Amz-Date:[20240402T230522Z] X-Amz-Region-Set:[*] X-Amz-Security-Token:REDACTED] REDACTED]

as per this example connection is part of SignedHeaders and is part of the http request

Possible Solution

I noticed in the java sdk, connection is added as an ignored header https://github.com/aws/aws-sdk-java-v2/blob/dc695de6ab49ad03934e1b02e7263abbd2354be0/core/auth/src/main/java/software/amazon/awssdk/auth/signer/internal/AbstractAws4Signer.java#L59 adding it to this list

aws-sdk-go-v2/aws/signer/internal/v4/headers.go

Line 7 in 50d16cf

"Authorization": struct{}{},

seemed to resolve the issue. However I'd like to know more about why this header needs to be ignored.

Additional Information/Context

No response

AWS Go SDK V2 Module Versions Used

we're using an internal copy of 9805a19 where the sigv4a library is not in an internal package

Compiler and Version used

go 1.21.5

Operating System and version

Oracle Linux 8

Answered by lucix-aws

Sep 26, 2024

#2812

View full answer

shulin-sq · 2024-04-12T03:26:51Z

shulin-sq
Apr 12, 2024
Author

This ended up working for us, I submitted a PR to also contribute the fix upstream: #2606

0 replies

lucix-aws · 2024-09-26T21:30:43Z

lucix-aws
Sep 26, 2024
Maintainer

#2812

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

connection header needs to be excluded in sigv4a/sigv4 #2594

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 2 comments

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Select a reply

connection header needs to be excluded in sigv4a/sigv4 #2594

shulin-sq Apr 2, 2024

Acknowledgements

Describe the bug

Expected Behavior

Current Behavior

Reproduction Steps

Possible Solution

Additional Information/Context

AWS Go SDK V2 Module Versions Used

Compiler and Version used

Operating System and version

Replies: 2 comments

shulin-sq Apr 12, 2024 Author

lucix-aws Sep 26, 2024 Maintainer

shulin-sq
Apr 2, 2024

shulin-sq
Apr 12, 2024
Author

lucix-aws
Sep 26, 2024
Maintainer