AWS IOT - Credential should be scoped to correct service

amazon-web-services aws-sdk iot aws-iot
Robby picture Robby · Feb 12, 2016 · Viewed 7.5k times · Source

I am trying to access a simple AWS IOT REST service but I have not been able to do so successfully yet. Here is what I did.

  1. I created an iam user in my aws and downloaded the access key and secret key
  2. Logged into AWS IOT with that user and created a "thing"
  3. From the thing's property I found the REST URL for the shadow
  4. Used Postman with the new "aws signature" feature and provided it with the access key, secret key, region (us-east-1) and service name (iot)

  5. Tried to "GET" the endpoint and this is what I got -

    { "message": "Credential should be scoped to correct service. ", "traceId": "be056198-d202-455f-ab85-805defd1260d" }

  6. I thought there is something wrong with postman so I tried using aws-sdk-sample example of connecting to S3 and changed it to connect to the IOT URL. Here is my program snippet (Java)

    String awsAccessKey = "fasfasfasdfsdafs";
String awsSecretKey = "asdfasdfasfasdfasdfasdf/asdfsdafsd/fsdafasdf";

URL  endpointUrl = null;
String regionName = "us-east-1";
try {
    endpointUrl = new URL("https://dasfsdfasdf.iot.us-east-1.amazonaws.com/things/SOMETHING/shadow");
}catch (Exception e){
    e.printStackTrace();
}
Map<String, String> headers = new HashMap<String, String>();
headers.put("x-amz-content-sha256", AWSSignerBase.EMPTY_BODY_SHA256);

AWSSignerForAuthorizationHeader signer = new AWSSignerForAuthorizationHeader(
        endpointUrl, "GET", "iot", regionName);
String authorization = signer.computeSignature(headers,
        null, // no query parameters
        AWSSignerBase.EMPTY_BODY_SHA256,
        awsAccessKey,
        awsSecretKey);

// place the computed signature into a formatted 'Authorization' header
// and call S3
headers.put("Authorization", authorization);
String response = HttpUtils.invokeHttpRequest(endpointUrl, "GET", headers, null);
System.out.println("--------- Response content ---------");
System.out.println(response);
System.out.println("------------------------------------");

This gives me the same error - 

--------- Request headers ---------
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Authorization: AWS4-HMAC-SHA256 Credential=fasfasfasdfsdafs/20160212/us-east-1/iot/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=3b2194051a8dde8fe617219c78c2a79b77ec92338028e9e917a74e8307f4e914
x-amz-date: 20160212T182525Z
Host: dasfsdfasdf.iot.us-east-1.amazonaws.com
--------- Response content ---------
{"message":"Credential should be scoped to correct service. ","traceId":"cd3e0d96-82fa-4da5-a4e1-b736af6c5e34"}
------------------------------------

Can someone tell me what I am doing wrong please? AWS documentation does not have much information on this error. Please help

Answer

Firas Al Mannaa picture Firas Al Mannaa · Mar 22, 2016

Sign your request with iotdata instead if iot
example: 

AWSSignerForAuthorizationHeader signer = new AWSSignerForAuthorizationHeader(
    endpointUrl, "GET", "iotdata", regionName);

Related questions

How to check if a specified key exists in a given S3 bucket using Java

I would like to check if a key exists in a given bucket using Java. I looked at the API but there aren't any methods that are useful. I tried to use getObject but it threw an exception.

Read More
The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256

I get an error AWS::S3::Errors::InvalidRequest The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256. when I try upload file to S3 bucket in new Frankfurt region. All works properly with US Standard region. …

Read More
Configuring region in Node.js AWS SDK

Can someone explain how to fix a missing config error with Node.js? I've followed all the examples from the aws doc page but I still get this error no matter what. { [ConfigError: Missing region in config] message: 'Missing region …

Read More