- Newest
- Most votes
- Most comments
OK, it was solved. after meeting with AWS technical support and he show me how to create the key. That's about OpenSSL key generator which the OpenSSL are not regular support Windows OS. So it's very complicate to generate the key from windows. And the other thing is version of OpenSSL which document recommend to 1.1.1i.
I had try to use OpenSSL 1.1.1i from Ubuntu OS with same procedure in that document and it's work fine without error. So let's change your OS to solve it.
Thank You everyone
Thanks for reaching out. Can you please confirm if on the tutorial you have done steps 1-3 successfully? i.e lambda add permission with no errors?
- Yes, it's. I can do it without any error.
For step 4, have you ensured that this is generated with the "tokenKeyValue" and same is used for testing the authorizer ?
- Yes, I had generate it by OpenSSL V1.1.1 but I had also try with OpenSSL V3 too and it was the same error.
"Copy this signature string to use in the next step. Be careful not to include any extra characters or leave any out."
- I had check it by debug mode of "TestInvokeAuthorizer" and I didn't see any extra charactor in it.
Another thing that I feel some strange. it's a private-key generator in https://docs.aws.amazon.com/iot/latest/developerguide/custom-auth-tutorial.html "openssl genrsa -out private-key.pem 4096" I saw some document is use 2048 length but I think it should not matter to check matching of both key. and even 2048 length, it had mismatch too.
Thank You for your time.
Hello,
Have you been able to solve this issue?
I am also following this tutorial from top to bottom https://docs.aws.amazon.com/iot/latest/developerguide/custom-auth-tutorial.html but I am getting the following error every time (Postman is also not working):
An error occurred (InvalidRequestException) when calling the TestInvokeAuthorizer operation: Token signature mismatch for authorizer my-new-authorizer
Also in step 3, the Lambda permission statement shown in the tutorial is:
{
"Statement": "{\"Sid\":\"Id-1234\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"iot.amazonaws.com\"},\"Action\":\"lambda:InvokeFunction\",\"Resource\":\"arn:aws:lambda:Region:57EXAMPLE833:function:custom-auth-function\",\"Condition\":{\"ArnLike\":{\"AWS:SourceArn\":\"arn:aws:lambda:Region:57EXAMPLE833:function:custom-auth-function\"}}}"
}
But the previous step to create the permission through the CLI indicates:
aws lambda add-permission \
--function-name "custom-auth-function" \
--principal "iot.amazonaws.com" \
--action "lambda:InvokeFunction" \
--statement-id "Id-1234" \
--source-arn authorizerArn
To use the authorizerArn as the "source-ARN" but the statement is using the lambda function ARN, which one is correct? I test both but still getting the "Token signature mismatch..." error.
Any assistance would be greatly appreciated.
Regards. Gianpiero
I have some meeting with technical of aws tomorrow. so if you have some question about this please list it to me. if it's possible I maybe ask them too. Thank You.
Thanks for reaching out. Can you please confirm if on the tutorial you have done steps 1-3 successfully? i.e lambda add permission with no errors?
For step 4, have you ensured that this is generated with the "tokenKeyValue" and same is used for testing the authorizer ?
echo -n "tokenKeyValue" | openssl dgst -sha256 -sign private-key.pem | openssl base64 -A
Also in step 4, can you confirm that this check is done ? "Copy this signature string to use in the next step. Be careful not to include any extra characters or leave any out."
"Another idea is that follow Step 5: Test publishing MQTT message using Postman" after your suggestion. I had try to do follow in step 5. and I saw first wrong thing that it's my policy was deny this request. I 'm unsure that it had relation with mismatch between public key and signature, isn't it. and if I can resolve that policy (which I had do it before), I will update later.
Thank You for your advice.
Have you been able to solve this issue? No, I'm still being stuck at the same situation.
and To use the authorizerArn as the "source-ARN" but the statement is using the lambda function ARN, which one is correct?
I had use arn from authorizerArn in response of create authorizer
Relevant content
- asked a year ago
- asked 2 years ago
AWS OFFICIALUpdated 3 years ago- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 2 years ago
Thanks for your response. I re-ran the tutorial end to end and it works well without issues . Openssl version does not matter.
4096 is the size of the private key to generate in bits. This must be the last option specified. The default is 2048
I think if you can confirm that below steps
echo -n "tokenKeyValue" | openssl dgst -sha256 -sign private-key.pem | openssl base64 -A
and then
aws iot test-invoke-authorizer
--authorizer-name my-new-authorizer
--token tokenKeyValue \ --> this should be same as when you used echo -n "tokenKeyValue" above --token-signature <<signature above not to include any extra characters or leave any out.>>
Any changes in the --token or --token-signature may not let it validate.
Another idea is that follow Step 5: Test publishing MQTT message using Postman