我已经实现了一个非常基本的CustomResource,我通过SNS收到通知给HTTPS用户没有任何问题。如果我使用CustomResource通知发送ResponseURL并尝试使用SUCCESS响应进行响应,我会使用带有SignatureDoesNotMatch错误代码的预签名URL继续从AWS获得403-FORBIDDEN响应。
通过我的所有研究和审查aws-cfn-resource-bridge,有两件事情都很突出。
这是我的要求
PUT https://cloudformation-custom-resource-response-useast1.s3.amazonaws.com/arn%3Aaws%3Acloudformation%3Aus-east-1%3A741849072915%3Astack/scott-test/7181a360-50cc-11e5-8aae-5001b491380a%7CCloudFlareDNSRegistration%7C047ca252-bf0e-4fa7-a7ac-be97fc897095?AWSAccessKeyId=REMOVED&Expires=1441240852&Signature=yzmop7aF5TxOFjAG%2F7TvTpoZDS0%3D
Content-Type:
Content-Length: 305
{"Status":"SUCCESS","PhysicalResourceId":"scott-test- CloudFlareDNSRegistration-1KQIGCB3BP1AW","StackId":"arn:aws:cloudformation:us-east-1:741849072915:stack/scott-test/7181a360-50cc-11e5-8aae-5001b491380a","RequestId":"047ca252-bf0e-4fa7-a7ac-be97fc897095","LogicalResourceId":"CloudFlareDNSRegistration"}
我得到的回应:
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><AWSAccessKeyId>REMOVED</AWSAccessKeyId><StringToSign>PUT
1441240852
/cloudformation-custom-resource-response-useast1/arn%253Aaws%253Acloudformation%253Aus-east-1%253A741849072915%253Astack/scott-test/7181a360-50cc-11e5-8aae-5001b491380a%257CCloudFlareDNSRegistration%257C047ca252-bf0e-4fa7-a7ac-be97fc897095</StringToSign> <SignatureProvided>yzmop7aF5TxOFjAG%2F7TvTpoZDS0%3D</SignatureProvided> <StringToSignBytes>50 55 54 0a 0a 0a 31 34 34 31 32 34 30 38 35 32 0a 2f 63 6c 6f 75 64 66 6f 72 6d 61 74 69 6f 6e 2d 63 75 73 74 6f 6d 2d 72 65 73 6f 75 72 63 65 2d 72 65 73 70 6f 6e 73 65 2d 75 73 65 61 73 74 31 2f 61 72 6e 25 32 35 33 41 61 77 73 25 32 35 33 41 63 6c 6f 75 64 66 6f 72 6d 61 74 69 6f 6e 25 32 35 33 41 75 73 2d 65 61 73 74 2d 31 25 32 35 33 41 37 34 31 38 34 39 30 37 32 39 31 35 25 32 35 33 41 73 74 61 63 6b 2f 73 63 6f 74 74 2d 74 65 73 74 2f 37 31 38 31 61 33 36 30 2d 35 30 63 63 2d 31 31 65 35 2d 38 61 61 65 2d 35 30 30 31 62 34 39 31 33 38 30 61 25 32 35 37 43 43 6c 6f 75 64 46 6c 61 72 65 44 4e 53 52 65 67 69 73 74 72 61 74 69 6f 6e 25 32 35 37 43 30 34 37 63 61 32 35 32 2d 62 66 30 65 2d 34 66 61 37 2d 61 37 61 63 2d 62 65 39 37 66 63 38 39 37 30 39 35</StringToSignBytes><RequestId>EBFDA09E56D8313F</RequestId><HostId>MP66HkmQeXXH05wE2AQR4pWc99JFyCXJMfMSQk4xxbxSRj5qQJB7vAm7/dJH+rH4</HostId></Error>
我发现了各种问题,其中建议需要解码的路径(即在提出请求之前将%3A更改为:),我试着没有运气。我正在使用在ResponseURL字段中提供的URL,似乎我不应该改变它。
有什么想法吗?
答案 0 :(得分:-1)
通过反复试验,我能够获得匹配的签名。不幸的是,细节很长,但我最初的尝试是利用Spring的RestTemplate,我试图为AWS正确设置标头。我切换到一个直接的Http Components HttpClient方法,在那里我可以更好地控制实际的HTTP请求标头和正文。