Question 183642 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – Java code to connect AWS Open Search(elastic Search) but getting error "The request signature we calculated does not match the signature provided

I am trying find a way to connect to AWS Open Search but I’m getting the following error:

{"message":"The request signature we calculated does not match the signature you provided.  
Check your AWS Secret Access Key and signing method. Consult the service documentation  
for details.nnThe Canonical String for this request should have beenn 
'GETn/_searchnq=testnhost:exmple.comnx-amz-date:20230609T084831Znx-amz-security-token:SecurtyToken  
host;x-amz-date;x-amz-security-tokenne3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'  
The String-to-Sign should have beenn'AWS4-HMAC-SHA256n20230609T084831Z 
20230609/us-east-1/es/aws4_requestn3dee35f26978096c8c4abe9fb6ebb8aad9fd05bd78e13b1f480595e0f3f9aab2'"}`

So can someone help me and here host: example.com(AWS OpenSeach endpoint)

What am I missing? Below is my Java code:

public class OpenSearchExampleCurl {
    private static final String ENDPOINT = "endpoint";

    public static void main(String[] args) throws InterruptedException
    {
        ProcessBuilder vProcessBuilder = null;
        Process vProcess = null;
        
        //YOUR_SIGNATURE refers to the actual signature value that you need to compute using the AWS Signature Version 4 algorithm(SigV4).
        //It is not the secret key itself.To generate the signature, you need to follow the steps outlined in the code example. The getSignatureKey method computes the signing key using your AWS Secret Key. Then, the hmacSHA256 method is used to calculate the actual signature by passing the signing key and the string to sign as parameters.
        //Replace YOUR_SIGNATURE with the computed signature value. The signature should be a hexadecimal representation of the binary signature.

        try {
             String accessKey = "youraccessKey";
             String secretKey = "secretKey";
             String sessionToken = "yoursessionToken";
             String region = "us-east-1";
             String serviceName = "es";
             String httpMethod = "POST";
             
             //String accessKey = getAccessKeyFromConfig();
             //String secretKey = getSecretKeyFromConfig();
             //String sessionToken = getSessionTokenFromConfig();
             
             //String path = "/your-bucket-name";

             //generate the AWS Signature using the AWS Signature Version 4 algorithm and pass it in the Authorization header of an . 
             // Generate timestamp and headers
             String timestamp = getTimestamp();
             String date = timestamp.substring(0, 8);
             String amzDate = getFormattedTimestamp();

             // Generate the canonical request
             String canonicalRequest = null;
             try {
                 canonicalRequest = httpMethod + "n" + "/" + "n" +"host:" + ENDPOINT.substring(8) + "n" +
                         "x-amz-date:" + amzDate + "n" + "x-amz-security-token:" + sessionToken + "n" +
                         "n" + "host;x-amz-date;x-amz-security-token" + "n" + getPayloadHash("");
             } catch (Exception e) {
                 e.printStackTrace();
             }

             // Generate the string to sign
             String stringToSign = null;
             try {
                 stringToSign = "AWS4-HMAC-SHA256n" + amzDate + "n" + date + "/" + region + "/" 
                             + serviceName + "/aws4_requestn" + getHash(canonicalRequest);
             } catch (Exception e) {
                 e.printStackTrace();
             }

             // Generate the signing key
             byte[] signingKey = null;
             try {
                 signingKey = getSignatureKey(secretKey, date, region, serviceName);
             } catch (Exception e) {
                 e.printStackTrace();
             }

             // Generate the signature
             String signature = null;
             try {
                 signature = bytesToHex(hmacSHA256(signingKey, stringToSign.getBytes(StandardCharsets.UTF_8)));
             } catch (Exception e) {
                 e.printStackTrace();
             }
             // Generate the Authorization header
             String authorizationHeader = "AWS4-HMAC-SHA256 Credential=" + accessKey +"/"+date+"/" +region + "/" +
                     serviceName + "/aws4_request, SignedHeaders=host;x-amz-date;x-amz-security-token, Signature=" + signature;
             System.out.println("authorizationHeader: " + authorizationHeader);
            
             vProcessBuilder = new ProcessBuilder(
                "curl",
                    "-X", "GET",
                    "-H", "Authorization:" + authorizationHeader,
                    "-H", "x-amz-date:" + amzDate,
                    "-H", "X-Amz-Security-Token:" + sessionToken,
                    "https://ENDPOINT/_search?q=test"//provide ENDPOINT, means OpenSearch Endpoint and test is a word to search
                );
             vProcessBuilder.redirectErrorStream(true);
             vProcess = vProcessBuilder.start();

             int exitCode1 = vProcess.exitValue();
             System.out.println("Exit Code: " + exitCode1);// if exitCode is 2 means having issue

             BufferedReader reader = new BufferedReader(new InputStreamReader(vProcess.getInputStream()));
             StringBuilder builder = new StringBuilder();
             String line = null;
             while ((line = reader.readLine()) != null)
             {
                  builder.append(line);
                  builder.append(System.getProperty("line.separator"));
             }
             String result = builder.toString();
             System.out.println(result);
             //ObjectMapper vMapper =  new ObjectMapper();
             //String vFinalResult = vMapper.writeValueAsString(result);
             //System.out.println(vFinalResult);
        } catch (IOException e) {
                e.printStackTrace();
        }
        finally
        {
            vProcess.destroy();
            vProcess = null;
        }
    }

    
    private static String getTimestamp()
    {
        // LocalDateTime class to get the current date and time.
        LocalDateTime currentDateTime = LocalDateTime.now();

        // Format the timestamp using the desired timestamp format
        DateTimeFormatter formatter = DateTimeFormatter.ofPattern("yyyyMMddHHmmss");
        String formattedTimestamp = currentDateTime.format(formatter);

        // format the current timestamp using the format method of the LocalDateTime class and print the formatted timestamp
        System.out.println("Formatted Timestamp: " + formattedTimestamp);
        return formattedTimestamp;
    }

    private static String getPayloadHash(String payload) throws Exception
    {
        MessageDigest digest = MessageDigest.getInstance("SHA-256");
        byte[] hash = digest.digest(payload.getBytes(StandardCharsets.UTF_8));
        return bytesToHex(hash);
    }

    //the hmacSHA256 method is used to calculate the actual signature by passing the signing key and the string to sign as parameters.
    private static byte[] hmacSHA256(byte[] key, byte[] data) throws Exception
    {
        Mac mac = Mac.getInstance("HmacSHA256");
        SecretKeySpec keySpec = new SecretKeySpec(key, "HmacSHA256");
        mac.init(keySpec);
        return mac.doFinal(data);
    }

    //The getSignatureKey method computes the signing key using your AWS Secret Key.
    private static byte[] getSignatureKey(String key, String date, String region, String service) throws Exception
    {
        byte[] kSecret = ("AWS4" + key).getBytes(StandardCharsets.UTF_8);
        byte[] kDate = hmacSHA256(kSecret, date.getBytes(StandardCharsets.UTF_8));
        byte[] kRegion = hmacSHA256(kDate, region.getBytes(StandardCharsets.UTF_8));
        byte[] kService = hmacSHA256(kRegion, service.getBytes(StandardCharsets.UTF_8));
        return hmacSHA256(kService, "aws4_request".getBytes(StandardCharsets.UTF_8));
    }

    private static String getHash(String text) throws Exception
    {
        MessageDigest digest = MessageDigest.getInstance("SHA-256");
        byte[] hash = digest.digest(text.getBytes(StandardCharsets.UTF_8));
        return bytesToHex(hash);
    }

    private static String bytesToHex(byte[] bytes)
    {
        StringBuilder result = new StringBuilder();
        for (byte b : bytes) {
            result.append(String.format("%02x", b));
        }
        return result.toString();
    }
    
    private static String getFormattedTimestamp() {
        //LocalDateTime currentDateTime = LocalDateTime.now();
       // DateTimeFormatter formatter = DateTimeFormatter.ofPattern("yyyyMMdd'T'HHmmss'Z'");
        //String formattedTimestamp = currentDateTime.format(formatter);
        // format the current timestamp using the format method of the LocalDateTime class and print the formatted timestamp
        ZonedDateTime utcDateTime = ZonedDateTime.now(ZoneOffset.UTC);
        String awsTimestamp = utcDateTime.format(DateTimeFormatter.ofPattern("yyyyMMdd'T'HHmmss'Z'"));
        System.out.println("Formatted Timestamp: " + awsTimestamp);
        return awsTimestamp;
    }
    
    
}
Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    I HAVE TRYED IN BELOW WAY AND GETTING SOME ERROR LIKE Exception in thread "main" java.lang.RuntimeException: class org.apache.http.client.methods.HttpRequestWrapper$HttpEntityEnclosingRequestWrapper cannot be cast to class org.apache.http.client.methods.HttpRequestBase (org.apache.http.client.methods.HttpRequestWrapper$HttpEntityEnclosingRequestWrapper and org.apache.http.client.methods.HttpRequestBase are in unnamed module of loader 'app') at org.elasticsearch.client.RestClient.extractAndWrapCause(RestClient.java:889) at org.elasticsearch.client.RestClient.performRequest(RestClient.java:283) at org.elasticsearch.client.RestClient.performRequest(RestClient.java:270) below code i have used:

        public class OpenSearchExample1 {
        public static void main(String[] args) {
            String accessKey = "ACCESSKEYY";
            String secretKey = "SECRETKEY";
            String sessionToken = "SECURITY_TOKEN";
            
            AwsCredentialsProvider credentialsProvider = StaticCredentialsProvider.create(
                    AwsSessionCredentials.create(accessKey, secretKey, sessionToken)
            );
    
            // Set the AWS region
            Region region = Region.of("us-east-1");
    
            // Set the AWS OpenSearch endpoint
            String endpoint = "OPENSEARCHENDPIONT";
    
            // Set the index name
            String indexName = "pdf";
    
            // Set the search query
            String query = "TEST";
    
            // Create the STS client to retrieve the caller identity
            StsClient stsClient = StsClient.builder()
                    .region(region)
                    .credentialsProvider(credentialsProvider)
                    .build();
    
            // Get the AWS account ID and service name for the signer
            GetCallerIdentityResponse callerIdentity = stsClient.getCallerIdentity(GetCallerIdentityRequest.builder().build());
            callerIdentity.account();
            String serviceName = "es";
    
            // Create the AWS4Signer with the appropriate signer type
            Aws4Signer signer = Aws4Signer.create();
            //signer.setRegionName(region.id());
    
            // Create the Elasticsearch REST client with AWS request signing
            RestHighLevelClient client = new RestHighLevelClient(
                    RestClient.builder(HttpHost.create(endpoint))
                            .setHttpClientConfigCallback(httpClientBuilder -> {
                                ApacheHttpRequestConfig.builder();
                                HttpRequestInterceptor interceptor = (request, context) -> {
                                    URI uri = URI.create(request.getRequestLine().getUri());
                                    String path = uri.getPath();
                                    if (path.isEmpty()) {
                                        path = "/";
                                    }
    
                                    HttpRequestBase httpRequest = (HttpRequestBase) request;
    
                                    SdkHttpFullRequest sdkRequest = SdkHttpFullRequest.builder()
                                            .method(SdkHttpMethod.fromValue(httpRequest.getMethod()))
                                            .uri(uri)
                                            .build();
    
                                    Aws4SignerParams signerParams = Aws4SignerParams.builder()
                                            .awsCredentials(credentialsProvider.resolveCredentials())
                                            .signingName(serviceName)
                                            .signingRegion(region)
                                            .build();
    
                                    signer.sign(sdkRequest, signerParams);
                                };
    
                                httpClientBuilder.addInterceptorLast(interceptor);
                                return httpClientBuilder;
                            })
            );
    
            try {
                // Build the search request
                Request searchRequest = new Request("GET", "/" + indexName + "/_search");
                searchRequest.setJsonEntity("{"query":{"match":{"_all":"" + query + ""}}}");
    
                // Execute the search request
                Response searchResponse = client.getLowLevelClient().performRequest(searchRequest);
    
                // Process the search response
                System.out.println(searchResponse.getStatusLine().getStatusCode());
                System.out.println(searchResponse.getEntity().getContent().toString());
            } catch (IOException e) {
                e.printStackTrace();
            } finally {
                // Close the Elasticsearch client
                try {
                    client.close();
                } catch (IOException e) {
                    e.printStackTrace();
                }
            }
        }
    }

    pom.xml:

    <project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
  
  <groupId>com.example</groupId>
  <artifactId>opensearch-example</artifactId>
  <version>1.0-SNAPSHOT</version>
  
  <properties>
    <maven.compiler.source>1.8</maven.compiler.source>
    <maven.compiler.target>1.8</maven.compiler.target>
  </properties>
  
  <dependencies>
    <!-- <dependency>
      <groupId>software.amazon.awssdk</groupId>
      <artifactId>opensearch</artifactId>
      <version>2.20.83</version>
    </dependency>
    
    <dependency>
      <groupId>software.amazon.awssdk</groupId>
      <artifactId>apache-client</artifactId>
      <version>2.20.83</version>
    </dependency>-->
    
    <dependency>
      <groupId>software.amazon.awssdk</groupId>
      <artifactId>auth</artifactId>
      <version>2.20.83</version>
    </dependency>
    <dependency>
        <groupId>org.elasticsearch.client</groupId>
        <artifactId>elasticsearch-rest-high-level-client</artifactId>
        <version>7.15.1</version>
    </dependency>
    <dependency>
        <groupId>software.amazon.awssdk</groupId>
        <artifactId>sts</artifactId>
        <version>2.20.83</version>
    </dependency>
    <dependency>
        <groupId>software.amazon.awssdk</groupId>
        <artifactId>elasticsearch</artifactId>
        <version>2.20.83</version>
    </dependency>
    <dependency>
        <groupId>org.apache.httpcomponents</groupId>
        <artifactId>httpclient</artifactId>
        <version>4.5.14</version>
    </dependency>
  <!-- SLF4J API -->
  <dependency>
    <groupId>org.slf4j</groupId>
    <artifactId>slf4j-api</artifactId>
    <version>1.7.32</version>
  </dependency>
  
  <!-- Logback logger implementation -->
  <dependency>
    <groupId>ch.qos.logback</groupId>
    <artifactId>logback-classic</artifactId>
    <version>1.2.6</version>
  </dependency>
  <dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-api</artifactId>
    <version>2.17.1</version>
  </dependency>

  <!-- Log4j2 Core -->
  <dependency>
    <groupId>org.apache.logging.log4j</groupId>
    <artifactId>log4j-core</artifactId>
    <version>2.17.1</version>
  </dependency>
  
  <!-- Other dependencies -->
</dependencies>
</project>

  2. 0

    To perform Open Search operations, consider using the Interface OpenSearchClient, which is AWS SDK for Java v2 as opposed to writing your own logic.

    Benefits of AWS SDK for Java V2 are:

    The AWS SDK for Java 2.x is a major rewrite of the version 1.x code base. It’s built on top of Java 8+ and adds several frequently requested features. These include support for non-blocking I/O and the ability to plug in a different HTTP implementation at runtime.

    Here is a code example that shows how to perform Amazon OpenSearch operations:

    package com.example.search;

// snippet-start:[opensearch.java2.create_domain.import]
import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.opensearch.OpenSearchClient;
import software.amazon.awssdk.services.opensearch.model.ClusterConfig;
import software.amazon.awssdk.services.opensearch.model.EBSOptions;
import software.amazon.awssdk.services.opensearch.model.VolumeType;
import software.amazon.awssdk.services.opensearch.model.NodeToNodeEncryptionOptions;
import software.amazon.awssdk.services.opensearch.model.CreateDomainRequest;
import software.amazon.awssdk.services.opensearch.model.CreateDomainResponse;
import software.amazon.awssdk.services.opensearch.model.OpenSearchException;
// snippet-end:[opensearch.java2.create_domain.import]

/**
 * Before running this Java V2 code example, set up your development environment, including your credentials.
 *
 * For more information, see the following documentation topic:
 *
 * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
 */
public class CreateDomain {

    public static void main(String[] args) {

        final String usage = "n" +
            "Usage:n" +
            "    <domainName>nn" +
            "Where:n" +
            "    domainName - The name of the domain to create.nn" ;

        if (args.length != 1) {
            System.out.println(usage);
            System.exit(1);
        }

        String domainName = args[0];
        Region region = Region.US_EAST_1;
        OpenSearchClient searchClient = OpenSearchClient.builder()
            .region(region)
            .credentialsProvider(ProfileCredentialsProvider.create())
            .build();

        createNewDomain(searchClient, domainName);
        System.out.println("Done");
    }

    // snippet-start:[opensearch.java2.create_domain.main]
    public static void createNewDomain(OpenSearchClient searchClient, String domainName) {
        try {
            ClusterConfig clusterConfig = ClusterConfig.builder()
                .dedicatedMasterEnabled(true)
                .dedicatedMasterCount(3)
                .dedicatedMasterType("t2.small.search")
                .instanceType("t2.small.search")
                .instanceCount(5)
                .build();

            EBSOptions ebsOptions = EBSOptions.builder()
                .ebsEnabled(true)
                .volumeSize(10)
                .volumeType(VolumeType.GP2)
                .build();

            NodeToNodeEncryptionOptions encryptionOptions = NodeToNodeEncryptionOptions.builder()
                .enabled(true)
                .build();

            CreateDomainRequest domainRequest = CreateDomainRequest.builder()
                .domainName(domainName)
                .engineVersion("OpenSearch_1.0")
                .clusterConfig(clusterConfig)
                .ebsOptions(ebsOptions)
                .nodeToNodeEncryptionOptions(encryptionOptions)
                .build();

            System.out.println("Sending domain creation request...");
            CreateDomainResponse createResponse = searchClient.createDomain(domainRequest);
            System.out.println("Domain status is "+createResponse.domainStatus().toString());
            System.out.println("Domain Id is "+createResponse.domainStatus().domainId());

        } catch (OpenSearchException e) {
            System.err.println(e.awsErrorDetails().errorMessage());
            System.exit(1);
        }
    }
    // snippet-end:[opensearch.java2.create_domain.main]
}
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search