All geek questions in one place

AWS CloudS File Invalidity through REST and Powershell APIs

I am trying to write a PowerShell script to invalidate an AWS Cloudfront distribution object (only a specific file) and don’t know how to create the “signed URL” that they are asking for.

My code so far:

$authPref = "AWS4-HMAC-SHA256"
$AWSAccessKey = "xxx"
$AWSSecretKey = "xxx"
$awsDateOnly = (Get-Date).AddHours(-3).ToString("yyyyMMdd")
$awsRegion = "us-east-1"
$awsServiceName = "cloudfront"
$awsRequestType = "aws4_request"

$stringToSign = $authPref + " " + $awsCallerReference + " " + $awsDateOnly + "/" + $awsRegion + "/" + $awsServiceName + "/" + $awsRequestType + " SOME_STRING_NOT_SURE_WHAT"

$hmacsha = New-Object System.Security.Cryptography.HMACSHA256
$hmacsha.key = [Text.Encoding]::ASCII.GetBytes($stringToSign)
$awsHMAC = $hmacsha.ComputeHash([Text.Encoding]::ASCII.GetBytes($AWSSecretKey))
$awsHMAC = [Convert]::ToBase64String($awsHMAC)

$awsSignedToken = $authPref + " Credential=" + $AWSAccessKey + "/" + $awsDateOnly + "/" + $awsRegion + "/" + $awsServiceName + "/" + $awsRequestType + ", SignedHeaders=content-type;host;x-amz-date, Signature=" + $awsHMAC


#POST /2017-03-25/distribution/$awsDistributionID/invalidation HTTP/1.1
$awsDistributionID = "xxx"
$awsCallerReference = (Get-Date).AddHours(-3).ToString("yyyyMMdd'T'HHmmss'Z'")

$invalidateObjectXML = @"
<?xml version="1.0" encoding="UTF-8"?>
<InvalidationBatch xmlns="http://cloudfront.amazonaws.com/doc/2017-03-25/">
   <CallerReference>$awsCallerReference</CallerReference>
   <Paths>
      <Items>
         <Path>/</Path>
      </Items>
      <Quantity>1</Quantity>
   </Paths>
</InvalidationBatch>
"@

[xml]$invalidateObjectXML = $invalidateObjectXML

$awsCFuri = "https://cloudfront.amazonaws.com/2017-03-25/distribution/$awsDistributionID/invalidation"

Invoke-WebRequest -Method POST `
                    -Uri $awsCFuri `
                    -Headers @{"content-type"="text/xml";
                               "x-amz-date"="$awsCallerReference";
                               "authorization"="$awsSignedToken";
                               "host"="cloudfront.amazonaws.com"} `
                    -Body $invalidateObjectXML

Answer:

<ErrorResponse xmlns="http://cloudfront.amazonaws.com/doc/2017-03-25/"><Error><Type>Sender</Type><Code>SignatureDoesNotMatch</Code><Message>The request 
signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation 
for details.
The Canonical String for this request should have been
'POST
/2017-03-25/distribution/blabla/invalidation
content-type:text/xml
host:cloudfront.amazonaws.com
x-amz-date:20170503T203650Z
content-type;host;x-amz-date
blabla'
The String-to-Sign should have been
'AWS4-HMAC-SHA256
20170503T203650Z
20170503/us-east-1/cloudfront/aws4_request
blabla'
</Message></Error><RequestId>123-123</RequestId></ErrorResponse>
At line:1 char:1

So, it’s obvious that I am doing something wrong with the signed URL string that I am doing, but what is it? Could not find any examples on the Internet (not AWS docs or any other blog) that demonstrates this in Powershell.

thank

+4
source share
1 answer

AWS PowerShell AWS API, AWS Tools PowerShell. , API .

CloudFront New-CFInvalidation. , Paths_Item.

:

New-CFInvalidation
    -DistributionId <String>
    -InvalidationBatch_CallerReference <String>
    -Paths_Item <String[]>
    -Paths_Quantity <Int32>
    -Force <SwitchParameter>

+3

Source: https://habr.com/ru/post/1676309/

More articles:


All Articles