Signing SQS Request while accessing over HTTP

SQS is a managed service from AWS, to access service AWS provides multiple options: SDK, CLI, Console and RESTful. In this story i’m primarily focusing on RESTful approach and various components involved to enable the request.

Majority of details are explained by AWS at this documentation, Making Query API Request. It becomes difficult to interpret when you you start seeing errors like,

The request must contain the parameter MessageGroupId.

The request has expired.

Request signature mismatch.

1. Create SQS queue in your account with following configuration:
   - AccessKeyId /Shared Secret to publish and consume from queue
   - Content deduplication enabled.
   - FIFO queue.
2. Format Query Request

Query Method GET is formatted as

GET\n

SQS is US-WEST-2

sqs.us-west-2.amazonaws.com\n

Queue Path — As shared on console after creation.

/007007007/com-test-queue-for-rest-access.fifo\n

Query String Components

AWSAccessKeyId=ACCESSKEYID007
Version=2012-11-05
Timestamp=2019-02-24T15%3A19%3A30-08%3A00
MessageBody=test_message
Action=SendMessage
MessageGroupId=abc
SignatureMethod=HmacSHA256
SignatureVersion=2

Timestamp should be sometime in future when you are going to make request, format shown above is URL encoded form of 2019–02–24T15:19:30–08:00

Signing the request is mandated by AWS to ensure integrity of the payload in transit to AWS for processing. Payload will be signed by SecretKey that is generated for AWSAccessKey. Query string components needs to be reorganized to support AWS sorts that case sensitive byte ordering. Reorganized query string looks like below.

AWSAccessKeyId=ACCESSKEYID007&
Action=SendMessage&
MessageBody=test_message&
MessageGroupId=abc&
SignatureMethod=HmacSHA256&
SignatureVersion=2&
Timestamp=2019-02-24T15%3A19%3A30-08%3A00&
Version=2012-11-05

3. Putting it All together

GET\nsqs.us-west-2.amazonaws.com\n/007007007/com-test-queue-for-rest-access.fifo\nAWSAccessKeyId=ACCESSKEYID007&Action=SendMessage&MessageBody=test_message&MessageGroupId=abc&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=2019-02-24T15%3A19%3A30-08%3A00&Version=2012-11-05

4. Signing Request

Signing request with HmacSHA256 method using secret key that is generated for AccessKeyId ACCESSKEYID007. Use this javascript template to generate Version 2 signature for the request.

<script src=”https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9-1/crypto-js.min.js"></script>
<script src=”https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9-1/hmac-sha256.min.js"></script>
<script src=”https://cdnjs.cloudflare.com/ajax/libs/crypto-js/3.1.9-1/enc-base64.min.js"></script>

<script>
var hash = CryptoJS.HmacSHA256(“<REQUEST TO BE SIGNED>”, “<SECRET KEY FOR ACCESS KEY ID>”);
var hashInBase64 = CryptoJS.enc.Base64.stringify(hash);
document.write(hashInBase64);
</script>

Save above script as .html after replacing highlighted variables appropriately. Use request from Step 3 and secret key in variables and save html, when launched in browser you will get HmacSHA256 text something like below.

00RMnjGEoRfLanlr//lJxgnQXI07G2LTbkPJirglbs=

5. Build RestFUL request

Query URL is appended by query string from Step 3.

https://sqs.us-west-2.amazonaws.com/007007007/com-test-queue-for-rest-access.fifo?AWSAccessKeyId=ACCESSKEYID007&Action=SendMessage&MessageBody=test_message&MessageGroupId=abc&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=2019-02-24T15%3A19%3A30-08%3A00&Version=2012-11-05

Append generated signature from Step 4 to above query

https://sqs.us-west-2.amazonaws.com/007007007/com-test-queue-for-rest-access.fifo?AWSAccessKeyId=ACCESSKEYID007&Action=SendMessage&MessageBody=test_message&MessageGroupId=abc&SignatureMethod=HmacSHA256&SignatureVersion=2&Timestamp=2019-02-24T15%3A19%3A30-08%3A00&Version=2012-11-05&Signature=00RMnjGEoRfLanlr//lJxgnQXI07G2LTbkPJirglbs=

Use above query within Postman or with Curl to test verify.