signature=3bed159966be4e0143cfc019c5f1b89b,AWS Signature Mismatched Calculation-CSDN博客

**** PLEASE SCROLL DOWN TO UPDATE FIRST ****

**** ISSUE SOLVED, BUT LEFT MY INFO FOR OTHER NOT TO MAKE THE SAME MISTAKE ****

@SamvelRaja Thanks for your update and the new v4.8.0 Postman (and v3.1.2 Nemman) release. I tried both new versions in my specific case and the update does not seem to have fixed my issue. I first tried the new Newman release in my CI/CD solution but it did not work. Because it is more difficult to debug there I switched to Postman for debugging.

Using the new v4.8.0 Postman I still have the same issue. When trying to call my AWS API Gateway which is secured with IAM credentials (that is why I need the Sigv4 authorization) I still have errors.

Authorization config (vars are correctly loaded):

My header after sending the POST:

Authorization header:

AWS4-HMAC-SHA256 Credential=ASIAIWFE3XX7CS*****/20161016/eu-central-1/execute-api/aws4_request, SignedHeaders=content-type;host;x-amz-date;x-api-key, Signature=4b204f8408d2c6c362eefe9387b2df88bed7447e1dd39e5bea08a6*********

Error retrieving:

"message": "The security token included in the request is invalid."

Now comes the interesting part: when I use the generated cURL code from this exact call everything works fine!

generated cURL:

curl -X GET -H "x-api-key: 3UkX1NRc5t310k5rrqBna6x3c5hoAJen9B******" -H "x-amz-security-token: AgoGb3JpZ2luE****" -H "Content-Type: application/x-www-form-urlencoded" -H "X-Amz-Date: 20161016T083150Z" -H "Authorization: AWS4-HMAC-SHA256 Credential=ASIAIWFE3XX7CS******/20161016/eu-central-1/execute-api/aws4_request, SignedHeaders=content-type;host;x-amz-date;x-api-key, Signature=4b204f8408d2c6c362eefe9387b2df88bed7447e1dd39e5bea08a6b6bd******" -H "Cache-Control: no-cache" -H "Postman-Token: 93e74922-6357-d266-4819-440b8c395cf8" "https://*****.execute-api.eu-central-1.amazonaws.com/dev/info"

Must be something different in Postman/Newman executing the request and the actual request from the generated cURL

If you need any additional info or want to do so debugging together, please contact me...

Appreciating your effort in fixing this bug!

UPDATE: did some additional debugging.

I just found out about the 'console' function in Postman and tried to do the request again:

I think the problem is that Postman never includes the 'x-amz-security-token' header in the request? It is defined (see screenshot above) but the console does not show it.

This led me to the fact that I was an idiot and that I did not notice that the new solution in v4.8.0 required an additional parameter in the Authorization especially for this: