I have a Blazor WebAssembly app (client side, not hosted), which I want to connect to an AWS kinesis video stream for live streaming. I am having problems setting up the streaming connection to AWS, as it fails with the exception message The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
I did a lot of experimenting and realized, that this is generic problem for me. Accessing any AWS service will give the same result. I have tried Kinesis, DynamoDB and SecretsManager. I am using .NET7 and AWS SDK Core version 3.7.105.12
I have set up an AWS user on the IAM with an access key / secret key, and added policies to the user for the specific access
The code for AWS secret manager, for example, are these few lines (implemented in a text Razor page, OnInitializedAsync method):
protected override async Task OnInitializedAsync()
{
var credentials = new BasicAWSCredentials("<ACCESSKEY>","<SECRETKEY");
var secretsClient = new AmazonSecretsManagerClient(credentials, RegionEndpoint.EUWest1);
var secretsRequest = new GetSecretValueRequest
{
SecretId = "<SECRETID>"
};
// This triggers the exception
var response = await secretsClient.GetSecretValueAsync(secretsRequest);
}
The async call, actually calling the AWS REST API (https://secretsmanager.eu-west-1.amazonaws.com/) causes the exception. I can see from network stats, that the REST service is called by the AWS SDK, and fails with a HTTP status code 400 (BadRequest), message: "The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details."
I have run the exact same code in a Consol application and WEB API, and here it works as expected, so the user / permission setup works fine
Is it not possible to call AWS services from Blazor WebAssembly?
One thing I considered trying was to construct the API call directly (and not use the AWS SDK). In case of CORS issues etc. I could setup an alias on AWS CloudFront to map a "local" REST API to AWS REST API, but not sure it would change anything.
Any ideas?
since you are 100% access key and secret are 100% correct, I can see only one other option.
The AWS Sigv4 algorithm used to calculate signatures takes date&time as a part of the payload. It's a common issue that signatures do not match if your local PC clock is out of sync. Make sure you synchronized your time with some NTP server. On Windows, you can follow method 2 of the first reply from this thread: https://answers.microsoft.com/en-us/windows/forum/all/how-to-force-windows-10-time-to-synch-with-a-time/20f3b546-af38-42fb-a2d0-d4df13cc8f43
However, I would also suggest that you should not share secrets like IAM keys in the code that will be delivered to your clients. Instead, I want to suggest you check out AWS Cognito, which can authenticate your users and authorize them to use your AWS resources by the assumption of temporary roles. This is a better solution in terms of security.