"Authorization header requires" error

[carybriel]

Hello,

First, thank you for sharing this excellent module! The concept/ functionality is a huge time saver.

Quick question. I'm seeing an error and can't seem to track down the reason.

I'm running your node component in MacOS Mojave terminal. Latest version. Just installed today.

Shell command executed (w/ credentials omitted):

cognitocurl --cognitoclient CLIENT_ID --userpool USER_POOL_ID --username USERNAME --password PASSWORD--run "curl -v https://search-readlog-5o7avh6rg363kgb5q6gbzmqjg4.us-east-1.es.amazonaws.com/_cat/indices?v"

The following is returned (via CURL verbose output). Note the error and the Authorization header that is sent. Wondering if you may have suggestions as to what I may be doing wrong/ why this error may be occurring. Thanks!

Output:

{"message":"Authorization header requires 'Credential' parameter. Authorization header requires 'Signature' parameter. Authorization header requires 'SignedHeaders' parameter. Authorization header requires existence of either a 'X-Amz-Date' or a 'Date' header. Authorization=eyJraWQiOiJsN0lucEcxVDJPekRTSlFGeFhWMlR6WnJXXC90VjhwcWFuSlZBOXkrRzlwMD0iLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIyNGRkZTdlNS1mNDllLTRkNjMtYWYzMS0yMGE3ZWQwYThmMzIiLCJhdWQiOiJydjI5dWhqcmYwczJkb2wzazNjbmFjN2Y2IiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImV2ZW50X2lkIjoiNTNjYzdmZWYtOTUzOS00NGUwLWE4MjctMDk0YTU2Y2M2ZjZmIiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE2MDkwODU3MDEsImlzcyI6Imh0dHBzOlwvXC9jb2duaXRvLWlkcC51cy1lYXN0LTEuYW1hem9uYXdzLmNvbVwvdXMtZWFzdC0xX1NSSldRYURyaCIsImNvZ25pdG86dXNlcm5hbWUiOiIyNGRkZTdlNS1mNDllLTRkNjMtYWYzMS0yMGE3ZWQwYThmMzIiLCJleHAiOjE2MDkwODkzMDEsImlhdCI6MTYwOTA4NTcwMSwiZW1haWwiOiJjYXJ5QGVyaWRlc2lnbi5jb20ifQ.F6K00boiK7xw5pPZSZb9d_u7WGywDLgYzy1WPhe8Ev557c_5_dEmoSqI_yPbPMeO4-dNqCOmXsCoG9DFY3OKr92TKS5ti2FDcRkqKc7xFPuMXNXNp_9X82OHf9T1dkzUunIGdK4YLGKJ4wRlXepiuDw-cWO4YNMs2T_5GHH2LpNNYxYxsG2GugHgroZUpzPYMaWJWXyuHEgUCHHxBmU3PUsD3UeYeGADt2oDftu4M0Fj35Q3r1wqnlzsxRnk-a9SshAwzzbvTcpmL23Gtwwmnx5qi0p2dLz1dqB3cqZZiQF4dZG6NyQILVU5rTn86HAK4OcEaDhGhd62Uv5-V3Vp1w"} *   Trying 52.55.91.199...
* TCP_NODELAY set
* Connected to search-readlog-5o7avh6rg363kgb5q6gbzmqjg4.us-east-1.es.amazonaws.com (52.55.91.199) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [274 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [98 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [4852 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.us-east-1.es.amazonaws.com
*  start date: May 21 00:00:00 2020 GMT
*  expire date: Jun 21 12:00:00 2021 GMT
*  subjectAltName: host "search-readlog-5o7avh6rg363kgb5q6gbzmqjg4.us-east-1.es.amazonaws.com" matched cert's "*.us-east-1.es.amazonaws.com"
*  issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f8419804e00)
> GET /_cat/indices?v HTTP/2
> Host: search-readlog-5o7avh6rg363kgb5q6gbzmqjg4.us-east-1.es.amazonaws.com
> User-Agent: curl/7.54.0
> Accept: */*
> Authorization: eyJraWQiOiJsN0lucEcxVDJPekRTSlFGeFhWMlR6WnJXXC90VjhwcWFuSlZBOXkrRzlwMD0iLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIyNGRkZTdlNS1mNDllLTRkNjMtYWYzMS0yMGE3ZWQwYThmMzIiLCJhdWQiOiJydjI5dWhqcmYwczJkb2wzazNjbmFjN2Y2IiwiZW1haWxfdmVyaWZpZWQiOnRydWUsImV2ZW50X2lkIjoiNTNjYzdmZWYtOTUzOS00NGUwLWE4MjctMDk0YTU2Y2M2ZjZmIiwidG9rZW5fdXNlIjoiaWQiLCJhdXRoX3RpbWUiOjE2MDkwODU3MDEsImlzcyI6Imh0dHBzOlwvXC9jb2duaXRvLWlkcC51cy1lYXN0LTEuYW1hem9uYXdzLmNvbVwvdXMtZWFzdC0xX1NSSldRYURyaCIsImNvZ25pdG86dXNlcm5hbWUiOiIyNGRkZTdlNS1mNDllLTRkNjMtYWYzMS0yMGE3ZWQwYThmMzIiLCJleHAiOjE2MDkwODkzMDEsImlhdCI6MTYwOTA4NTcwMSwiZW1haWwiOiJjYXJ5QGVyaWRlc2lnbi5jb20ifQ.F6K00boiK7xw5pPZSZb9d_u7WGywDLgYzy1WPhe8Ev557c_5_dEmoSqI_yPbPMeO4-dNqCOmXsCoG9DFY3OKr92TKS5ti2FDcRkqKc7xFPuMXNXNp_9X82OHf9T1dkzUunIGdK4YLGKJ4wRlXepiuDw-cWO4YNMs2T_5GHH2LpNNYxYxsG2GugHgroZUpzPYMaWJWXyuHEgUCHHxBmU3PUsD3UeYeGADt2oDftu4M0Fj35Q3r1wqnlzsxRnk-a9SshAwzzbvTcpmL23Gtwwmnx5qi0p2dLz1dqB3cqZZiQF4dZG6NyQILVU5rTn86HAK4OcEaDhGhd62Uv5-V3Vp1w
> 
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 403 
< date: Sun, 27 Dec 2020 16:21:07 GMT
< content-type: application/json
< content-length: 1231
< x-amzn-requestid: 16687046-3e83-4e82-8812-0f17fd1fa457
< access-control-allow-origin: *
< 
{ [1231 bytes data]
* Connection #0 to host search-readlog-5o7avh6rg363kgb5q6gbzmqjg4.us-east-1.es.amazonaws.com left intact

[kevwargo]

Well, at the first glance it looks like the endpoint you're calling is expecting an IAM authorization, not Cognito (since the Authorization header seems as not enough), so I would guess that sth is wrong with the https://search-readlog-5o7avh6rg363kgb5q6gbzmqjg4.us-east-1.es.amazonaws.com/_cat/indices?v endpoint configuration. However let's wait for more experienced people's opinion.

[tgardiner]

cognitocurl works great for testing endpoints that use userpool authorization. For testing endpoints with IAM authorization I wrote cognito-agent that I pair with awscurl