Greetings.
I'm trying to use the aws/glacier package, and running into a problem where I'm
being told:
Credential should be scoped to a valid region, not 'eu-west-1'
I'm following the instructions at
<https://github.com/greghendershott/aws/blob/master/aws/manual.md>
My test code is:
% cat glacier.rkt
#lang racket/base
(require aws/glacier
aws/keys)
(define vault "testvault")
(region "eu-west-1")
(read-keys "aws-zbu-credentials") ; local file
(module+ main
(printf "region=~a~%" (region))
(printf "Vaults: ~s~%" (list-vaults))
(printf "...specifically: ~s~%" (describe-vault vault)))
Running this produces:
% racket glacier.rkt
region=eu-west-1
aws: HTTP/1.1 403 Forbidden
x-amzn-RequestId: Un3-L2zlaJBPyrIVKJrWuQcqtMMYQAr34gYUOSScg6Qepc4
Content-Type: application/json
Content-Length: 129
Date: Sat, 27 Sep 2014 18:35:50 GMT
{"message":"Credential should be scoped to a valid region, not
'eu-west-1'. ","code":"InvalidSignatureException","type":"Client"}
HTTP 403 "Forbidden". AWS Code="InvalidSignatureException"
Message="Credential should be scoped to a valid region, not 'eu-west-1'. "
context...:
check-response
/Users/norman/Library/Racket/6.1/pkgs/aws/aws/glacier.rkt:97:22: temp68
request/redirect/uri
(submod /checkouts/me/code/zbu/glacier.rkt main): [running body]
Things I thought of:
* Printing (public-key)/(private-key) indicates that the credentials are
being read correctly.
* When I change the argument of (region) to "us-west-1", that's the region
that appears in the error message.
* My "testvault" vault is in eu-west-1 (and this is indeed one of the valid
regions for glacier, reported in
<http://docs.aws.amazon.com/general/latest/gr/rande.html> and which does have a
host at http://glacier.eu-west-1.amazonaws.com
* As far as I can see, credentials are _not_ scoped, but are all at us-east-1.
*
<http://docs.aws.amazon.com/general/latest/gr/signature-v4-troubleshooting.html>
says that "IAM [...] accepts only us-east-1 as its region specification", so
I'm taking it that (region) is for setting the _vault_'s region.
* I'm not a great AWS expert, so I could have something in my setup broken;
but if so, I've no clue what.
If, however, I change the (region) argument to "us-east-1", I get a different
error message "User: arn:aws:iam::786725553169:user/zbu is not authorized to
perform: glacier:ListVaults on resource:
arn:aws:glacier:us-east-1:786725553169:vaults/" That makes sense, since
there's no such vault, but it's interesting that it gets _further_ when the
(region) matches the region for the IAM service.
I don't see any other (region) equivalents for the other services supported by
the package. Is that because all of the other services supported by the
package are supported by all the AWS regions, or am I missing a configuration?
Thanks for any pointers.
All the best,
Norman
--
Norman Gray : http://nxg.me.uk
SUPA School of Physics and Astronomy, University of Glasgow, UK
____________________
Racket Users list:
http://lists.racket-lang.org/users
