pythonamazon-web-servicesaws-marketplace

"Credential should be scoped to a valid region" alexa top sites service from AWS


I am trying to reach alexa topsites service. Based on that i have copied the code from Alexa's documentation.

The code is below:

import sys, os, base64, datetime, hashlib, hmac 
import requests 



method = 'GET'
service = "AlexaTopSites"
host = "ats.amazonaws.com"
region = 'us-east-1'
endpoint = "ats.us-east-1.amazonaws.com"



request_parameters="Action=TopSites&Count=100&CountryCode=BR&ResponseGroup=Country&Start=301&Url=yahoo.com"




def sign(key, msg):
    return hmac.new(key, msg.encode('utf-8'), hashlib.sha256).digest()

def getSignatureKey(key, dateStamp, regionName, serviceName):
    kDate = sign(('AWS4' + key).encode('utf-8'), dateStamp)
    kRegion = sign(kDate, regionName)
    kService = sign(kRegion, serviceName)
    kSigning = sign(kService, 'aws4_request')
    return kSigning


access_key = AWS_ACCESS_KEY_ID
secret_key = AWS_SECRET_KEY



t = datetime.datetime.utcnow()
amzdate = t.strftime('%Y%m%dT%H%M%SZ')
datestamp = t.strftime('%Y%m%d') # Date w/o time, used in credential scope



canonical_uri = '/' 
canonical_querystring = request_parameters
canonical_headers = 'host:' + host + '\n' + 'x-amz-date:' + amzdate + '\n'
signed_headers = 'host;x-amz-date'
payload_hash = hashlib.sha256(('').encode('utf-8')).hexdigest()
canonical_request = method + '\n' + canonical_uri + '\n' + canonical_querystring + '\n' + canonical_headers + '\n' + signed_headers + '\n' + payload_hash



algorithm = 'AWS4-HMAC-SHA256'
credential_scope = datestamp + '/' + region + '/' + service + '/' + 'aws4_request'
string_to_sign = algorithm + '\n' +  amzdate + '\n' +  credential_scope + '\n' +  hashlib.sha256(canonical_request.encode('utf-8')).hexdigest()


signing_key = getSignatureKey(secret_key, datestamp, region, service)


signature = hmac.new(signing_key, (string_to_sign).encode('utf-8'), hashlib.sha256).hexdigest()


authorization_header = algorithm + ' ' + 'Credential=' + access_key + '/' + credential_scope + ', ' +  'SignedHeaders=' + signed_headers + ', ' + 'Signature=' + signature

headers = {'Authorization':authorization_header,"Content-Type":"application/xml",'X-Amz-Date':amzdate, "Accept":"application/xml"}


url="https://ats.amazonaws.com/api"+"?"+request_parameters

r = requests.get(url, headers=headers)
r.text

Error message is below

<?xml version="1.0" ?>\n<aws:TopSitesResponse xmlns:aws="http://ats.amazonaws.com/doc/2005-10-05">\n  <aws:Response xmlns:aws="http://ats.amazonaws.com/doc/2005-07-11">\n    <aws:OperationRequest>\n      <aws:RequestId></aws:RequestId>\n    </aws:OperationRequest>\n    <aws:TopSitesResult>\n      <aws:Alexa>\n        <aws:Request>\n          <aws:Errors>\n            <aws:Error>\n              <aws:ErrorCode><![CDATA["Credential should be scoped to a valid region, not \'us-east-1\'. "]]></aws:ErrorCode>\n            </aws:Error>\n          </aws:Errors>\n        </aws:Request>\n      </aws:Alexa>\n    </aws:TopSitesResult>\n    <aws:ResponseStatus xmlns:aws="http://alexa.amazonaws.com/doc/2005-10-05/">\n      <aws:StatusCode>Error</aws:StatusCode>\n    </aws:ResponseStatus>\n  </aws:Response>\n</aws:TopSitesResponse>

The exact error code is below

<aws:ErrorCode><![CDATA["Credential should be scoped to a valid region, not \'us-east-1\'. "]]>

Actually i've removed IAM user and recreated many times as per the aws documentation but no joy. I believe that the region is correct. Though i have tried many different aws regions it didn't work for me .

I played with the parameters ( service = "blablalba", host="blablalba", endpoint = "blalbalba"), error response is always the same regardless of what parameters you pass to the arguements , the error is always the same.

method = 'GET'
service = "AlexaTopSites"
host = "ats.amazonaws.com"
region = 'us-east-1'
endpoint = "ats.us-east-1.amazonaws.com"

What only changes in the error code is the region part. If you put region = "hohoho" , i get the error response as

"Credential should be scoped to a valid region, not \'hohoho\'. "

PS: I am subscribed to TopSites service from AWS market place.


Solution

  • The endpoint URL needs to it's subdomain to match the region your credentials are located in. So if you have region = "us-east-1" you'll need to call ats.us-east-1.amazonaws.com as the base URL. If you need to change regions you can define the region variable and then use it to form the base endpoint variable url = f'https://ats.{region}.amazonaws.com' for ease of use.