[racket] aws/glacier: credential scope

From: Greg Hendershott (greghendershott at gmail.com)
Date: Sun Sep 28 16:01:20 EDT 2014

Hi, Norman.

I logged an issue for this:

  https://github.com/greghendershott/aws/issues/32

I see the problem (or at least the main problem) and will push a fix.

The bug is embarrassing, not just because it's such a silly mistake,
but it's something a unit test could have caught. (I could say that
doing unit tests for Glacier is challenging, because the retrieval
process can take hours. Although that's true, I could have done more
to test _some_ operations working among various regions.)

On Sat, Sep 27, 2014 at 4:14 PM, Norman Gray <norman at astro.gla.ac.uk> wrote:
>
> Greetings.
>
> I'm trying to use the aws/glacier package, and running into a problem where I'm being told:
>
>     Credential should be scoped to a valid region, not 'eu-west-1'
>
> I'm following the instructions at <https://github.com/greghendershott/aws/blob/master/aws/manual.md>
>
> My test code is:
>
>     % cat glacier.rkt
>     #lang racket/base
>
>     (require aws/glacier
>              aws/keys)
>
>     (define vault "testvault")
>     (region "eu-west-1")
>     (read-keys "aws-zbu-credentials") ; local file
>
>     (module+ main
>       (printf "region=~a~%" (region))
>       (printf "Vaults: ~s~%" (list-vaults))
>       (printf "...specifically: ~s~%" (describe-vault vault)))
>
> Running this produces:
>
>     % racket glacier.rkt
>     region=eu-west-1
>     aws: HTTP/1.1 403 Forbidden
>     x-amzn-RequestId: Un3-L2zlaJBPyrIVKJrWuQcqtMMYQAr34gYUOSScg6Qepc4
>     Content-Type: application/json
>     Content-Length: 129
>     Date: Sat, 27 Sep 2014 18:35:50 GMT
>
>      {"message":"Credential should be scoped to a valid region, not 'eu-west-1'. ","code":"InvalidSignatureException","type":"Client"}
>     HTTP 403 "Forbidden". AWS Code="InvalidSignatureException" Message="Credential should be scoped to a valid region, not 'eu-west-1'. "
>       context...:
>        check-response
>        /Users/norman/Library/Racket/6.1/pkgs/aws/aws/glacier.rkt:97:22: temp68
>        request/redirect/uri
>        (submod /checkouts/me/code/zbu/glacier.rkt main): [running body]
>
> Things I thought of:
>
>   * Printing (public-key)/(private-key) indicates that the credentials are being read correctly.
>   * When I change the argument of (region) to "us-west-1", that's the region that appears in the error message.
>   * My "testvault" vault is in eu-west-1 (and this is indeed one of the valid regions for glacier, reported in <http://docs.aws.amazon.com/general/latest/gr/rande.html> and which does have a host at http://glacier.eu-west-1.amazonaws.com
>   * As far as I can see, credentials are _not_ scoped, but are all at us-east-1.
>   * <http://docs.aws.amazon.com/general/latest/gr/signature-v4-troubleshooting.html> says that "IAM [...] accepts only us-east-1 as its region specification", so I'm taking it that (region) is for setting the _vault_'s region.
>   * I'm not a great AWS expert, so I could have something in my setup broken; but if so, I've no clue what.
>
> If, however, I change the (region) argument to "us-east-1", I get a different error message "User: arn:aws:iam::786725553169:user/zbu is not authorized to perform: glacier:ListVaults on resource: arn:aws:glacier:us-east-1:786725553169:vaults/"  That makes sense, since there's no such vault, but it's interesting that it gets _further_ when the (region) matches the region for the IAM service.
>
> I don't see any other (region) equivalents for the other services supported by the package.  Is that because all of the other services supported by the package are supported by all the AWS regions, or am I missing a configuration?
>
> Thanks for any pointers.
>
> All the best,
>
> Norman
>
>
> --
> Norman Gray  :  http://nxg.me.uk
> SUPA School of Physics and Astronomy, University of Glasgow, UK
>
>
> ____________________
>   Racket Users list:
>   http://lists.racket-lang.org/users


Posted on the users mailing list.