[racket] aws/glacier: credential scope

From: Norman Gray (norman at astro.gla.ac.uk)
Date: Sat Sep 27 16:14:55 EDT 2014

Greetings.

I'm trying to use the aws/glacier package, and running into a problem where I'm being told:

    Credential should be scoped to a valid region, not 'eu-west-1'

I'm following the instructions at <https://github.com/greghendershott/aws/blob/master/aws/manual.md>

My test code is:

    % cat glacier.rkt
    #lang racket/base
    
    (require aws/glacier
             aws/keys)
    
    (define vault "testvault")
    (region "eu-west-1")
    (read-keys "aws-zbu-credentials") ; local file
    
    (module+ main
      (printf "region=~a~%" (region))
      (printf "Vaults: ~s~%" (list-vaults))
      (printf "...specifically: ~s~%" (describe-vault vault)))

Running this produces:

    % racket glacier.rkt                
    region=eu-west-1
    aws: HTTP/1.1 403 Forbidden
    x-amzn-RequestId: Un3-L2zlaJBPyrIVKJrWuQcqtMMYQAr34gYUOSScg6Qepc4
    Content-Type: application/json
    Content-Length: 129
    Date: Sat, 27 Sep 2014 18:35:50 GMT
    
     {"message":"Credential should be scoped to a valid region, not 'eu-west-1'. ","code":"InvalidSignatureException","type":"Client"}
    HTTP 403 "Forbidden". AWS Code="InvalidSignatureException" Message="Credential should be scoped to a valid region, not 'eu-west-1'. "
      context...:
       check-response
       /Users/norman/Library/Racket/6.1/pkgs/aws/aws/glacier.rkt:97:22: temp68
       request/redirect/uri
       (submod /checkouts/me/code/zbu/glacier.rkt main): [running body]

Things I thought of:

  * Printing (public-key)/(private-key) indicates that the credentials are being read correctly.
  * When I change the argument of (region) to "us-west-1", that's the region that appears in the error message.
  * My "testvault" vault is in eu-west-1 (and this is indeed one of the valid regions for glacier, reported in <http://docs.aws.amazon.com/general/latest/gr/rande.html> and which does have a host at http://glacier.eu-west-1.amazonaws.com
  * As far as I can see, credentials are _not_ scoped, but are all at us-east-1.
  * <http://docs.aws.amazon.com/general/latest/gr/signature-v4-troubleshooting.html> says that "IAM [...] accepts only us-east-1 as its region specification", so I'm taking it that (region) is for setting the _vault_'s region.
  * I'm not a great AWS expert, so I could have something in my setup broken; but if so, I've no clue what.

If, however, I change the (region) argument to "us-east-1", I get a different error message "User: arn:aws:iam::786725553169:user/zbu is not authorized to perform: glacier:ListVaults on resource: arn:aws:glacier:us-east-1:786725553169:vaults/"  That makes sense, since there's no such vault, but it's interesting that it gets _further_ when the (region) matches the region for the IAM service.

I don't see any other (region) equivalents for the other services supported by the package.  Is that because all of the other services supported by the package are supported by all the AWS regions, or am I missing a configuration?

Thanks for any pointers.

All the best,

Norman


-- 
Norman Gray  :  http://nxg.me.uk
SUPA School of Physics and Astronomy, University of Glasgow, UK



Posted on the users mailing list.