Skip to content

RDSClient::GenerateConnectAuthToken returns incorrect token #868

Closed
@Bu11etmagnet

Description

@Bu11etmagnet

Calling RDSClient::GenerateConnectAuthToken and passing the result as the password to mysql_real_connect() results in Failed to connect to DB: Access denied for user TheUser. Calling popen("aws rds generate-db-auth-token --hostname ... --port 8080 --region ... -- username ...") and passing the output as the password to mysql_real_connect() succeeds.

This is probably the same as #861

What platform/OS are you using?

Ubuntu 17.10

What compiler are you using? what version?

clang version 7.0.0 (trunk 330183)

What's your CMake arguments?

Can you provide a TRACE level log? (sanitize any sensitive information)

Debug level only:

C++ SDK - Calling Aws::RDS::RDSClient::GenerateConnectAuthToken directly

[DEBUG] 2018-05-08 09:57:20 AWSAuthV4Signer [140654804961792] Canonical Header String: host:ye-olde-cluster.us-west-2.rds.amazonaws.com

[DEBUG] 2018-05-08 09:57:20 AWSAuthV4Signer [140654804961792] Signed Headers value: host
[DEBUG] 2018-05-08 09:57:20 AWSAuthV4Signer [140654804961792] Canonical Request String: GET
/
Action=connect&DBUser=TheUser&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIAKIAIAKIAIAKIAI%2F20180508%2Fus-west-2%2Frds-db%2Faws4_request&X-Amz-Date=20180508T075720Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host
host:ye-olde-cluster.us-west-2.rds.amazonaws.com

host
UNSIGNED-PAYLOAD
[DEBUG] 2018-05-08 09:57:20 AWSAuthV4Signer [140654804961792] Final String to sign: AWS4-HMAC-SHA256
20180508T075720Z
20180508/us-west-2/rds/aws4_request
54905ff6eb2f8305fd07a01305a62392b8eb85415a010e7b8256e897e0b278e8

C++ SDK - Code of RDSClient::GenerateConnectAuthToken modified for 900 seconds expiration; it calls Aws::Client::GeneratePresignedUrl

[DEBUG] 2018-05-08 09:57:20 AWSAuthV4Signer [140654804961792] Canonical Header String: host:ye-olde-cluster.us-west-2.rds.amazonaws.com

[DEBUG] 2018-05-08 09:57:20 AWSAuthV4Signer [140654804961792] Signed Headers value: host
[DEBUG] 2018-05-08 09:57:20 AWSAuthV4Signer [140654804961792] Canonical Request String: GET
/
Action=connect&DBUser=TheUser&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIAKIAIAKIAIAKIAI%2F20180508%2Fus-west-2%2Frds-db%2Faws4_request&X-Amz-Date=20180508T075720Z&X-Amz-Expires=900&X-Amz-SignedHeaders=host
host:ye-olde-cluster.us-west-2.rds.amazonaws.com

host
UNSIGNED-PAYLOAD
[DEBUG] 2018-05-08 09:57:20 AWSAuthV4Signer [140654804961792] Final String to sign: AWS4-HMAC-SHA256
20180508T075720Z
20180508/us-west-2/rds/aws4_request
0c31fd6b170e7802d1d63993814eb4708133cd6d4c469e6826bc2440858cfcaa

AWS CLI (written in Python, using boto)
aws --debug rds generate-db-auth-token --hostname ... --port 8080 --username TheUser --region us-west-2

2018-05-08 09:57:20,575 - MainThread - botocore.auth - DEBUG - CanonicalRequest:
GET
/
Action=connect&DBUser=TheUser&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIAKIAIAKIAIAKIAI%2F20180508%2Fus-west-2%2Frds-db%2Faws4_request&X-Amz-Date=20180508T075720Z&X-Amz-Expires=900&X-Amz-SignedHeaders=host
host:ye-olde-cluster.us-west-2.rds.amazonaws.com:8080

host
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
2018-05-08 09:57:20,575 - MainThread - botocore.auth - DEBUG - StringToSign:
AWS4-HMAC-SHA256
20180508T075720Z
20180508/us-west-2/rds-db/aws4_request
f91f865c30fc85134f7c71568f95ac3ee40c85ca828610f083fcf81146ba22c0
2018-05-08 09:57:20,575 - MainThread - botocore.auth - DEBUG - Signature:
cb645218d40e526858ba36dff43d9d12e85106a07c5391aac835f201bcb3377a

The AWS CLI (using boto) puts the port number into the canonical request. The C++ SDK does not. This may be caused by StandardHttpRequest::StandardHttpRequest in aws-cpp-sdk-core/source/http/standard/StandardHttpRequest.cpp:33

    SetHeaderValue(HOST_HEADER, uri.GetAuthority());

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugThis issue is a bug.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions