amazon_aws_auth_pkg: The authorization mechanism you have provided is not supported

[Fatehcis]

Hello Morten,
This regarding Amazon S3. I can upload files to a bucket in US, but when I try to upload files to a bucket in Frankfurt, I get this error.

ORA-20000: The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256.

[mortenbra]

According to the Amazon documentation:

http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version

"In the China (Beijing), EU (Frankfurt) and Asia Pacific (Seoul) regions, Amazon S3 supports only Signature Version 4, and AWS SDKs use this signature version to authenticate requests. In all other regions, Amazon S3 supports both Signature Version 4 and Signature Version 2."

Therefore, to use these regions, the PL/SQL API (amazon_aws_auth_pkg) needs to be extended to support the new "Signature Version 4".

The new signature is described here: http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html

[mortenbra]

The "Signature Version 4" uses a SHA256 message authentication code (MAC).

Oracle added support for this in 12c (HMAC_SH256).

http://www.morganslibrary.org/reference/pkgs/dbms_crypto.html

Older versions of the database (11g) only support the older HMAC_SH1 algorithm. Which means it's not possible to implement this on 11g (at least not without loading a Java class, or re-implementing the crypto yourself in PL/SQL, probably not a good idea).

Conditional compilation could be used to make this work against a 12c database, though.

[mortenbra]

@antonscheffer has implemented additional crypto functions in PL/SQL (https://github.com/antonscheffer/as_crypto), which should make it possible to get the AWS signature up and running for Oracle 10/11 databases as well.

[jpraulji]

@mortenbra I have tried with as_crypto .

1) as_crypto.mac (src => l_decrypted_raw, typ => as_crypto.HMAC_SH256 , key => l_key_bytes_raw); 
2) as_crypto.mac (src => l_decrypted_raw, typ => as_crypto.hmac_sh1, key => l_key_bytes_raw); 

When using 1st method it results into error when trying to get bucket list.

ORA-20000: The request signature we calculated does not match the signature you provided. Check your key and signing method.

When using the second method able to initialize session and getting bucket list
select * from table (amazon_aws_s3_pkg.get_bucket_tab() );

But when trying to upload the file, it results into error:

ORA-20000: The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256.

Any suggestion please?

[mortenbra]

@jpraulji I would need to see a complete code example (or the full list of changes you have done) in order to comment. Have you implemented the full signing method as described in the Amazon docs for AWS signature version 4?

[bradjpeek]

I'm having the same issue using a bucket in US-EAST-2 (Ohio) region. My APEX instance is on Oracle 11 but I can ask my hosting company (Enciva.com) to upgrade it to 12c. If I did that would it be as simple as updating the dbms_crypto call in the AMAZON_AWS_AUTH_PKG body to use HMAC_SH256?

[guilhermelacruz]

@bradjpeek Do you have success with the bucket in US-EAST-2? I already using the 12c, but I think that need implement the new AWS signature version 4 to work.

[danielpbarros]

@mortenbra How are you? I ran all the packages but for all the actions I do, I get the following message.. Would you help me?

.

[mortenbra]

@danielpbarros Which AWS region is your bucket in? Did you run amazon_aws_auth_pkg.init() before the other calls?

[danielpbarros]

@danielpbarros Which AWS region is your bucket in? Did you run amazon_aws_auth_pkg.init() before the other calls?

@mortenbra , how are you? First thank you for answering my question. I managed to fix the problem and found that I was sending the wrong timezone parameter. Thank you very much.