How to access AWS Secrets Manager through API?
Exception: Status code 400, Invalid Signature, message: The request signature calculated does not match the signature provided. Check your AWS Secret Access Key and signing method.
Suggested Method to work:
Scenario - Python method
- Load the same Script : Use the below Script
" import boto3
secret_name = "MySecretName"
region_name = "us-west-2"
session = boto3.session.Session()
client = session.client(
get_secret_value_response = client.get_secret_value(
except ClientError as e:
if e.response['Error']['Code'] == 'ResourceNotFoundException':
print("The requested secret " + secret_name + " was not found")
elif e.response['Error']['Code'] == 'InvalidRequestException':
print("The request was invalid due to:", e)
elif e.response['Error']['Code'] == 'InvalidParameterException':
print("The request had invalid params:", e)
elif e.response['Error']['Code'] == 'DecryptionFailure':
print("The requested secret can't be decrypted using the provided KMS key:", e)
elif e.response['Error']['Code'] == 'InternalServiceError':
print("An error occurred on service side:", e)
# Secrets Manager decrypts the secret value using the associated KMS CMK
# Depending on whether the secret was a string or binary, only one of these fields will be populated
if 'SecretString' in get_secret_value_response:
text_secret_data = get_secret_value_response['SecretString']
binary_secret_data = get_secret_value_response['SecretBinary']
# Your code goes here."
- Invoke method
- Get Python object
Scenario: AWS instead of being the string value behind the Secure String, is System. Security. SecureString"
As mentioned, passing the string, it does not work because it is converted to security.secure string
Check below docs to generate the Signatures.
- AWS - Create a string to sign for Signature Version 4
- AWS - Calculate the signature for AWS Signature Version 4
The issue is how to pass the signature to the HTTPClient activity. Doing it through Secure String, does not work, and the output (IE ), the value that is added in the header at the other end when sending to AWS instead of being the string value behind the Secure String is System.Security.SecureString. This is because the HTTPClient does not manage to convert the Secure String to its actual value.