skip to Main Content

I am trying to get right request to get a user, but cannot:

AWS CLI that works:

aws iam get-user --user-name "${user_name}"

Now, plain curl request

api_addr=https://iam.amazonaws.com &&
curl --aws-sigv4 "aws:amz:${region}:iam" --user "${aws_key}":"${aws_secret}"  "${api_addr}/?Action=GetUser&UserName=${user_name}&Version=2010-05-08"

Getting a response:

<ErrorResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
  <Error>
    <Type>Sender</Type>
    <Code>SignatureDoesNotMatch</Code>
    <Message>Credential should be scoped to a valid region. </Message>
  </Error>
  <RequestId>b21979ce-4d16-4e43-a592-227dc6d2a249</RequestId>
</ErrorResponse>

What is the correct call? I presume, IAM is a global region. I’ve tried my specific region as well as "global" or omitting it.

Curl should suffice:

curl --version
curl 7.87.0 (x86_64-apple-darwin22.0) libcurl/7.87.0 (SecureTransport) LibreSSL/3.3.6 zlib/1.2.11 nghttp2/1.51.0
Release-Date: 2022-12-21

Curl, –aws-sig4

2

Answers


  1. Chosen as BEST ANSWER

    I've ended up with the following canonical snippet:

    api_url="https://iam.amazonaws.com/" &&
    default_region="us-east-1" &&
    api_version="2010-05-08" &&
    curl --aws-sigv4 "aws:amz:${default_region}:iam" --user "${aws_key}:${aws_secret}" 
      --data-urlencode "UserName=${user_name}" 
      --data "Action=GetUser" 
      --data "Version=${api_version}" 
      "${api_url}"
    

    It is based on Arpit's answer. While, I had another small issue due to weird user name, needed to be url-encoded, so I feel it is worth posting


  2. Okay, I was able to make it work, Looks like the default region is being used in calls to IAM which accepts only us-east-1.

    Request:-

    curl --aws-sigv4 "aws:amz:us-east-1:iam" --user "AWS_KEY":"AWS_SECRET_XXX"  "https://iam.amazonaws.com/?Action=GetUser&UserName=Dev-arpit&Version=2010-05-08"
    

    Response:-

    <GetUserResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
      <GetUserResult>
        <User>
          <Path>/</Path>
          <UserName>Dev-arpit</UserName>
          <Arn>arn:aws:iam::XXXXX:user/Dev-arpit</Arn>
          <UserId>XXXX</UserId>
          <CreateDate>2023-05-19T04:26:17Z</CreateDate>
        </User>
      </GetUserResult>
      <ResponseMetadata>
        <RequestId>03ca9843-d003-4ca1-8d22-0c99a43cc78b</RequestId>
      </ResponseMetadata>
    </GetUserResponse>
    

    Hope it helps!

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search