Sun, 01 Feb 09

Test Data for Version 2 of the Amazon Web Services Signing Protocol

This sort of data would have been incredibly handy when I was trying to implement the Amazon request signing functionality. It might be of use to anyone else that wants to implement it in another language.

I chose to test using the List domains method as it seemed fairly straightforward. These are request parameters I used (you’ll obviously need to use the exact same values when testing your implementation).

AWSAccessKeyId = access
Action = ListDomains
SignatureMethod = HmacSHA256
SignatureVersion = 2
Timestamp = 2009-02-01T12:53:20+00:00
Version = 2007-11-07

The following numbered steps correspond to the numbered steps in the Authenticating REST Requests part of the Amazon Simple DB developer guide.

1. We URL encode the above request parameters (the key value pairs) and sort them to generate this ‘canonicalized query string’.

AWSAccessKeyId=access&Action=ListDomains&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=2009-02-01T12%3A53%3A20%2B00%3A00&Version=2007-11-07

2. We use this canonicalized query string within this string that we’re going to hash.

GET
sdb.amazonaws.com
/
AWSAccessKeyId=access&Action=ListDomains&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=2009-02-01T12%3A53%3A20%2B00%3A00&Version=2007-11-07

3 and 4. We generate the following, base64 encoded, HMAC of the string above using the SHA256 hashing algorithm and a secret key of ‘secret’.

okj96/5ucWBSc1uR2zXVfm6mDHtgfNv657rRtt/aunQ=

5. We URL encode this signature and add it to the list of request parameters (note that the order of the request parameters doesn’t matter for the request itself).

Action=ListDomains&Signature=okj96%2F5ucWBSc1uR2zXVfm6mDHtgfNv657rRtt%2FaunQ%3D&Version=2007-11-07&AWSAccessKeyId=access&Timestamp=2009-02-01T12%3A53%3A20%2B00%3A00&SignatureVersion=2&SignatureMethod=HmacSHA256

Once you’re happy that you’ve implemented the request signing functionality correctly you can use your real security credentials (access and secret keys) and test using curl. Note that the HTTP method, sdb host (sdb.amazonaws.com) and path (/) must match those that were used in the string that we hashed.

curl -X"GET" "https://sdb.amazonaws.com/?Action=ListDomains&Signature=okj96%2F5ucWBSc1uR2zXVfm6mDHtgfNv657rRtt%2FaunQ%3D&Version=2007-11-07&AWSAccessKeyId=access&Timestamp=2009-02-01T12%3A53%3A20%2B00%3A00&SignatureVersion=2&SignatureMethod=HmacSHA256"

That should be it. It possibly would’ve made more sense to generate these as tests using test/unit so that you could easily convert them to the xunit tool of your choice before implementing your solution. Actually, what I believe would have made sense was for Amazon to release such a set of tests themselves.