RDSClient::GenerateConnectAuthToken returns incorrect token

[Bu11etmagnet]

Calling RDSClient::GenerateConnectAuthToken and passing the result as the password to mysql_real_connect() results in Failed to connect to DB: Access denied for user TheUser. Calling popen("aws rds generate-db-auth-token --hostname ... --port 8080 --region ... -- username ...") and passing the output as the password to mysql_real_connect() succeeds.

This is probably the same as #861

What platform/OS are you using?

Ubuntu 17.10

What compiler are you using? what version?

clang version 7.0.0 (trunk 330183)

What's your CMake arguments?

Can you provide a TRACE level log? (sanitize any sensitive information)

Debug level only:

C++ SDK - Calling Aws::RDS::RDSClient::GenerateConnectAuthToken directly

[DEBUG] 2018-05-08 09:57:20 AWSAuthV4Signer [140654804961792] Canonical Header String: host:ye-olde-cluster.us-west-2.rds.amazonaws.com

[DEBUG] 2018-05-08 09:57:20 AWSAuthV4Signer [140654804961792] Signed Headers value: host
[DEBUG] 2018-05-08 09:57:20 AWSAuthV4Signer [140654804961792] Canonical Request String: GET
/
Action=connect&DBUser=TheUser&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIAKIAIAKIAIAKIAI%2F20180508%2Fus-west-2%2Frds-db%2Faws4_request&X-Amz-Date=20180508T075720Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host
host:ye-olde-cluster.us-west-2.rds.amazonaws.com

host
UNSIGNED-PAYLOAD
[DEBUG] 2018-05-08 09:57:20 AWSAuthV4Signer [140654804961792] Final String to sign: AWS4-HMAC-SHA256
20180508T075720Z
20180508/us-west-2/rds/aws4_request
54905ff6eb2f8305fd07a01305a62392b8eb85415a010e7b8256e897e0b278e8

C++ SDK - Code of RDSClient::GenerateConnectAuthToken modified for 900 seconds expiration; it calls Aws::Client::GeneratePresignedUrl

[DEBUG] 2018-05-08 09:57:20 AWSAuthV4Signer [140654804961792] Canonical Header String: host:ye-olde-cluster.us-west-2.rds.amazonaws.com

[DEBUG] 2018-05-08 09:57:20 AWSAuthV4Signer [140654804961792] Signed Headers value: host
[DEBUG] 2018-05-08 09:57:20 AWSAuthV4Signer [140654804961792] Canonical Request String: GET
/
Action=connect&DBUser=TheUser&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIAKIAIAKIAIAKIAI%2F20180508%2Fus-west-2%2Frds-db%2Faws4_request&X-Amz-Date=20180508T075720Z&X-Amz-Expires=900&X-Amz-SignedHeaders=host
host:ye-olde-cluster.us-west-2.rds.amazonaws.com

host
UNSIGNED-PAYLOAD
[DEBUG] 2018-05-08 09:57:20 AWSAuthV4Signer [140654804961792] Final String to sign: AWS4-HMAC-SHA256
20180508T075720Z
20180508/us-west-2/rds/aws4_request
0c31fd6b170e7802d1d63993814eb4708133cd6d4c469e6826bc2440858cfcaa

AWS CLI (written in Python, using boto)
aws --debug rds generate-db-auth-token --hostname ... --port 8080 --username TheUser --region us-west-2

2018-05-08 09:57:20,575 - MainThread - botocore.auth - DEBUG - CanonicalRequest:
GET
/
Action=connect&DBUser=TheUser&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIAKIAIAKIAIAKIAI%2F20180508%2Fus-west-2%2Frds-db%2Faws4_request&X-Amz-Date=20180508T075720Z&X-Amz-Expires=900&X-Amz-SignedHeaders=host
host:ye-olde-cluster.us-west-2.rds.amazonaws.com:8080

host
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
2018-05-08 09:57:20,575 - MainThread - botocore.auth - DEBUG - StringToSign:
AWS4-HMAC-SHA256
20180508T075720Z
20180508/us-west-2/rds-db/aws4_request
f91f865c30fc85134f7c71568f95ac3ee40c85ca828610f083fcf81146ba22c0
2018-05-08 09:57:20,575 - MainThread - botocore.auth - DEBUG - Signature:
cb645218d40e526858ba36dff43d9d12e85106a07c5391aac835f201bcb3377a

The AWS CLI (using boto) puts the port number into the canonical request. The C++ SDK does not. This may be caused by StandardHttpRequest::StandardHttpRequest in aws-cpp-sdk-core/source/http/standard/StandardHttpRequest.cpp:33

    SetHeaderValue(HOST_HEADER, uri.GetAuthority());

[MCox-cat]

The AWS Docs provide the method to create the signed token manually:

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.Connecting.Java.html (See CreateRDSAuthTokenManually)

The "canonical string" using that method (with a slight fix for the date format) looks like this:

Action=connect&DBUser=michael&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAAKIAAKIAAKIAAKIA%2F20180505%2Feu-west-1%2Frds-db%2Faws4_request&X-Amz-Date=20180505T150137&X-Amz-Expires=899&X-Amz-SignedHeaders=host host:blah.eu-west-1.rds.amazonaws.com:3306

So does include the port.

(BTW the manual method does produce a valid token - with the date fix caveat)

[Bu11etmagnet]

What date fix?

[MCox-cat]

The Java CreateRDSAuthTokenManually creates a date string that looks like this 20180420T0859+0000. I chopped off the +0000 and it then worked.

Doesn't help much with the C++ case, but helps to verify my other issue (some credentials don't work)

[Bu11etmagnet]

C++ SDK string to sign contains:
20180508/us-west-2/rds/aws4_request

AWS CLI string to sign contains
20180508/us-west-2/rds-db/aws4_request

[marcomagdy]

Looking into this issue now.

[marcomagdy]

I found more than one problem. I fixed them and was able to generate a working token.
Summary:

1. The service name is defined as rds rather than rds-db in the RDSClient
2. As @Bu11etmagnet also noted, the port is missing from the host name
3. The SIGv4 algorithm for calculating pre-signed URLs appends the literal UNSIGNED-PAYLOAD rather than the SHA256 of an empty string (since there's no body to this request)
4. The maximum expiration for the authentication token is 15 minutes (900 seconds) but we were setting it for 60 minutes (3600 seconds)

[MCox-cat]

Sounds good.
How and when will this fix be distributed?

[marcomagdy]

Give us a couple of days. I'll update this issue when we release it.

[Bu11etmagnet]

Yay! I'll be able to throw away my local hacks:

diff --git a/aws-cpp-sdk-core/source/auth/AWSAuthSigner.cpp b/aws-cpp-sdk-core/source/auth/AWSAuthSigner.cpp
index 888ee9ef7f..9863250b28 100644
--- a/aws-cpp-sdk-core/source/auth/AWSAuthSigner.cpp
+++ b/aws-cpp-sdk-core/source/auth/AWSAuthSigner.cpp
@@ -32,6 +32,7 @@
 #include <iomanip>
 #include <math.h>
 #include <string.h>
+#include <string>
 
 using namespace Aws;
 using namespace Aws::Client;
@@ -328,7 +329,7 @@ bool AWSAuthV4Signer::PresignRequest(Aws::Http::HttpRequest& request, const char
     Aws::String dateQueryValue = now.ToGmtString(LONG_DATE_FORMAT_STR);
     request.AddQueryStringParameter(Http::AWS_DATE_HEADER, dateQueryValue);
 
-    request.SetHeaderValue(Http::HOST_HEADER, request.GetHeaderValue(Http::HOST_HEADER));
+    request.SetHeaderValue(Http::HOST_HEADER, request.GetHeaderValue(Http::HOST_HEADER) + ':' + std::to_string(request.GetUri().GetPort()));
 
     Aws::StringStream headersStream;
     Aws::StringStream signedHeadersStream;
@@ -372,7 +373,7 @@ bool AWSAuthV4Signer::PresignRequest(Aws::Http::HttpRequest& request, const char
     canonicalRequestString.append(NEWLINE);
     canonicalRequestString.append(signedHeadersValue);
     canonicalRequestString.append(NEWLINE);
-    canonicalRequestString.append(UNSIGNED_PAYLOAD);
+    canonicalRequestString.append(EMPTY_STRING_SHA256);
     AWS_LOGSTREAM_DEBUG(v4LogTag, "Canonical Request String: " << canonicalRequestString);
 
     //now compute sha256 on that request string
diff --git a/aws-cpp-sdk-rds/source/RDSClient.cpp b/aws-cpp-sdk-rds/source/RDSClient.cpp
index 966c73b680..9feb63e198 100644
--- a/aws-cpp-sdk-rds/source/RDSClient.cpp
+++ b/aws-cpp-sdk-rds/source/RDSClient.cpp
@@ -128,7 +128,7 @@ using namespace Aws::Http;
 using namespace Aws::Utils::Xml;
 
 
-static const char* SERVICE_NAME = "rds";
+static const char* SERVICE_NAME = "rds-db";
 static const char* ALLOCATION_TAG = "RDSClient";
 
 

[marcomagdy]

This has been fixed in v1.4.49.
Reopen if you’re still having issues.

[Bu11etmagnet]

Confirmed working with 1.4.49 :)

[MCox-cat]

@JonathanHenson Will 1.4.49 be pushed to nuget (Windows)?