aws-sdkamazon-cloudwatchaws-sdk-cpp

IncompleteSignature exception with CloudWatchClient::PutMetricData


Sending a request with CloudWatchClient::PutMetricData in the AWS C++ SDK results in an IncompleteSignature exception with the following details: Authorization header requires 'Signature' parameter. Authorization header requires 'SignedHeaders' parameter. (Hashed with SHA-256 and encoded with Base64) Authorization=<redacted>.

As a matter of fact, while debugging, I can see that the authorization header is of the form : AWS4-HMAC-SHA256 Credential=<AccessKeyId>/<YYYYMMDD>/<Region>.

I do not understand how to solve this issue. It really seems to be related to how the request is signed, which is an implementation detail I do not seem to have any direct control over. I can prove that the credentials are correct by comparing the result of aws configure list with the results of invoking InstanceProfileCredentialsProvider::GetAWSCredentials() and both are the same. I am able to successfully submit the same metric data using the command line in the same environment by leveraging the iam-role on my EC2 instance.

Any suggestions as to how this signature problem could be fixed?


Solution

  • After digging in the SDK's source code, I realized the signing code can never generate an authorization header that looks like the one I see. The only reason it can, is because there is a null terminator embedded inside the string, ending it prematurely. That null terminator was my own fault. When building the region string, I queried the EC2 IMDSv2 service to obtain the current region and I overwrote the availability-zone's character with a '\0' that ended up being copied into the authorization header.