Request signature error when going through a gateway (Akamai)

[paul-gardiner]

For company security reasons, I need to send my requests to AWS through Akamai, which forwards the request to aws. In this case, I'm using kinesis as a consumer, and am setting the AWS_ENDPOINT_URL_KINESIS variable to the Akamai endpoint that forwards on to https://kinesis.ca-central-1.amazonaws.com. The issue is that Akami changes the host header from the Akamai endpoint to the AWS endpoint, so the header signature fails, and I get this error message:

Caused by: software.amazon.awssdk.services.kinesis.model.KinesisException: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details. (Service: Kinesis, Status Code: 400, Request ID: c18a1360-94ff-dd48-a19f-8ca09b11154b, Extended Request ID: iH/yX2iBn98stntP6R1kbGN6s9be6/Xowam3m49+0Tdb/V8Sd8E+CVRJWLpNTRf7xWKZQn6yfMRD7yhnMxJ5KhXysA63m7QW)

Is there a way to exclude the host parameter from the SignedHeaders list? Is there some other way to solve this issue, where requests are going through a gateway that changes the host header?

[paul-gardiner]

I figured out a way to do it, by changing the host to the origin value, signing the headers, and then putting the host back to the original value. It worked for kinesis, cloudwatch, and dynamodb.

@Slf4j
public class OriginAws4Signer extends BaseAsyncAws4Signer {

  public OriginAws4Signer(String origin) {
    this.origin = origin;
   }

  private String origin;
  public static final String HOST = "Host";

  @Override
  protected AsyncRequestBody transformRequestProvider(String s,
      Aws4SignerRequestParams aws4SignerRequestParams, Aws4SignerParams aws4SignerParams,
      AsyncRequestBody asyncRequestBody) {
    return asyncRequestBody;
  }

  @Override
  public SdkHttpFullRequest sign(SdkHttpFullRequest request,
      ExecutionAttributes executionAttributes) {
    if (origin == null || origin.isEmpty()) {
      log.trace("origin is not set. Not modifying signature.");
      return super.sign(request, executionAttributes);
    } else {
      log.trace("origin is set to {}. Modifying signature.", origin);
      String originalHost = request.host();
      SdkHttpFullRequest modifiedRequest = request
          .toBuilder()
          .host(origin)
          .build();
      SdkHttpFullRequest signedRequest = super.sign(modifiedRequest, executionAttributes);
      log.trace("Reverting host on http request to original value: {}", originalHost);
      return signedRequest
          .toBuilder()
          .removeHeader(HOST)
          .appendHeader(HOST, originalHost)
          .host(originalHost)
          .build();
    }
  }
}

Then add the signer to the client configuration. E.g.

@Bean
  public CloudWatchAsyncClient cloudWatchClient(
      StsAssumeRoleWithWebIdentityCredentialsProvider credentialsProvider) {

    return CloudWatchAsyncClient
        .builder()
        .httpClient(NettyNioAsyncHttpClient.builder().build())
        .overrideConfiguration(c -> c.putAdvancedOption(SdkAdvancedClientOption.SIGNER,
            new OriginAws4Signer(origin)))
        .credentialsProvider(credentialsProvider)
        .build();
  }