As per my comment under the Accepted Answer on this post:
Error message when calling Api Gateway with signature
I cannot figure out how to get the Session Token to use in C#.
I’ve gone through this tutorial – https://docs.aws.amazon.com/pinpoint/latest/developerguide/tutorials-using-postman-configuration.html
And it works perfectly in Postman. But the accepted answer on the SO Question fails due to authentication.
Somehow Postman is generating the session token for me to use. And I can’t see how it’s done in both the documentation and in the SO Accepted Answer.
Is someone could show me how to get the token via C# and do a successful call to the API, that would be greatly appreciated.
Thanks in advance
3
Answers
The process explained through the Postman collections does not use a session token. It signs the request with the Access and Secret keys when consuming the endpoints.
This library should assist you in consuming the AWS services through HTTP APIs.
NuGet: Aws4RequestSigner
In case you do not want to use a 3rd party library, you can define your own implementation with this reference documentation.
In order to authenticate your request with Pinpoint APIs you need to pass
Authorization
header which containsaccesssKey
,region
, andserviceName
variables you have set in Postman. If you inspect the Postman collections you have imported and navigate to "Headers" you can click to reveal hidden headers – there you can find which HTTP headers you actually pass with your request, so you can mimic that with your C# implementation.How to do this in C#? Various ways. You simply need to create HTTP Client with
Authorization
header and pass the same value you see in PostmanWhen you consider Signing AWS API requests, the process becomes much more elaborate: AWS uses temporary security credentials, consisting of an access key ID, a secret access key, and a security token, to enable applications to send authenticated requests on your behalf without sharing your long-term AWS security credentials. A session token is part of these temporary security credentials.
Session tokens are issued by the AWS Security Token Service (STS).
AWS STS is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users).
When you make a call to AWS STS to assume a role or a federated user, AWS STS returns the temporary security credentials, which consist of the access key, secret key, and session token. These temporary security credentials are then used to sign the AWS API requests.
For instance, if you want to use temporary security credentials to sign an AWS API request:
You or your application calls the
AssumeRole
(for IAM users) orGetFederationToken
(for federated users) operation of AWS STS. You include an IAM role ARN or federated user credentials in the API call.AWS STS verifies the role or user credentials and returns temporary security credentials, which include an access key ID, a secret access key, and a session token.
You use these temporary security credentials (access key ID, secret access key, and session token) to sign subsequent AWS API requests.
AWS verifies the signature on the incoming request. If the signature is valid, and the session token is valid and has not expired, AWS allows the API call.
The API call is processed, and the result is returned to you or your application.
The AWS SDKs handle these steps automatically. When you use an AWS SDK to make requests, you specify the temporary security credentials (access key ID, secret access key, and session token), and the SDK uses them to sign the requests for you.
In the context of AWS Signature Version 4, the session token is included in the
X-Amz-Security-Token
header of the HTTP request. Note that the session token itself is not included in the signature calculation.X-Amz-Security-Token
header as part of the HTTP request. This allows AWS to verify the temporary security credentials that you are using to make the request.While using temporary security credentials is optional, in your case AWS session tokens are generated by making a request to the AWS Security Token Service (STS). This is typically done when you want to use temporary security credentials instead of the long-term credentials associated with an IAM user.
The steps to create a canonical request, create a string to sign, and calculate the signature are part of the process of signing the request to AWS services. These steps are generally performed after obtaining the temporary security credentials (including the session token) from AWS STS. Here is a general sequence of the steps:
This sequence ensures that your request to the AWS service is both authenticated (proves who you are) and authorized (proves you have permission to perform the requested operation).
Create a Canonical Request: This includes all the information that you want to send in your request, including the HTTP method, the URL path, the query string parameters, the headers, and the payload (or body) of the request. This information is represented in a specific format defined by AWS.
Create a String to Sign: This includes the hashed canonical request along with additional metadata, such as the algorithm you are using for signing (AWS4-HMAC-SHA256), the date and time of the request, and the service and region you are making the request to.
Calculate the Signature: This involves using your AWS secret access key to create a signing key, and then using that signing key to create a signature from the string to sign. The signature proves that the request is authentic and has not been tampered with.
After generating the signature, you include it in the Authorization header of your HTTP request, along with other necessary information such as your AWS access key ID and the headers that you included in the canonical request. If you are using temporary security credentials, you also include the session token in the
X-Amz-Security-Token
header.As a rough example:
This example uses the AWS SDK for .NET (C#) and assumes that you have implemented the AWS Signature Version 4 process in the
AWS4Signer
class.Also, this example uses your AWS root user access key and secret key to call AWS STS. In a production scenario, you should avoid using root user credentials. Instead, use the credentials of an IAM user that has the necessary permissions, or use AWS Identity and Access Management (IAM) roles if you are running your application on Amazon EC2, AWS Lambda, or other AWS service.
Do replace "Your AWS Access Key" and "Your AWS Secret Key" with your actual AWS access key and secret key, and replace "https://my-service-url" with the URL of the AWS service you want to call.
An example of AWS Signature Version 4 process implementation in the
AWS4Signer
class would be: