Hi, Norman. I logged an issue for this:
https://github.com/greghendershott/aws/issues/32 I see the problem (or at least the main problem) and will push a fix. The bug is embarrassing, not just because it's such a silly mistake, but it's something a unit test could have caught. (I could say that doing unit tests for Glacier is challenging, because the retrieval process can take hours. Although that's true, I could have done more to test _some_ operations working among various regions.) On Sat, Sep 27, 2014 at 4:14 PM, Norman Gray <nor...@astro.gla.ac.uk> wrote: > > Greetings. > > I'm trying to use the aws/glacier package, and running into a problem where > I'm being told: > > Credential should be scoped to a valid region, not 'eu-west-1' > > I'm following the instructions at > <https://github.com/greghendershott/aws/blob/master/aws/manual.md> > > My test code is: > > % cat glacier.rkt > #lang racket/base > > (require aws/glacier > aws/keys) > > (define vault "testvault") > (region "eu-west-1") > (read-keys "aws-zbu-credentials") ; local file > > (module+ main > (printf "region=~a~%" (region)) > (printf "Vaults: ~s~%" (list-vaults)) > (printf "...specifically: ~s~%" (describe-vault vault))) > > Running this produces: > > % racket glacier.rkt > region=eu-west-1 > aws: HTTP/1.1 403 Forbidden > x-amzn-RequestId: Un3-L2zlaJBPyrIVKJrWuQcqtMMYQAr34gYUOSScg6Qepc4 > Content-Type: application/json > Content-Length: 129 > Date: Sat, 27 Sep 2014 18:35:50 GMT > > {"message":"Credential should be scoped to a valid region, not > 'eu-west-1'. ","code":"InvalidSignatureException","type":"Client"} > HTTP 403 "Forbidden". AWS Code="InvalidSignatureException" > Message="Credential should be scoped to a valid region, not 'eu-west-1'. " > context...: > check-response > /Users/norman/Library/Racket/6.1/pkgs/aws/aws/glacier.rkt:97:22: temp68 > request/redirect/uri > (submod /checkouts/me/code/zbu/glacier.rkt main): [running body] > > Things I thought of: > > * Printing (public-key)/(private-key) indicates that the credentials are > being read correctly. > * When I change the argument of (region) to "us-west-1", that's the region > that appears in the error message. > * My "testvault" vault is in eu-west-1 (and this is indeed one of the valid > regions for glacier, reported in > <http://docs.aws.amazon.com/general/latest/gr/rande.html> and which does have > a host at http://glacier.eu-west-1.amazonaws.com > * As far as I can see, credentials are _not_ scoped, but are all at > us-east-1. > * > <http://docs.aws.amazon.com/general/latest/gr/signature-v4-troubleshooting.html> > says that "IAM [...] accepts only us-east-1 as its region specification", so > I'm taking it that (region) is for setting the _vault_'s region. > * I'm not a great AWS expert, so I could have something in my setup broken; > but if so, I've no clue what. > > If, however, I change the (region) argument to "us-east-1", I get a different > error message "User: arn:aws:iam::786725553169:user/zbu is not authorized to > perform: glacier:ListVaults on resource: > arn:aws:glacier:us-east-1:786725553169:vaults/" That makes sense, since > there's no such vault, but it's interesting that it gets _further_ when the > (region) matches the region for the IAM service. > > I don't see any other (region) equivalents for the other services supported > by the package. Is that because all of the other services supported by the > package are supported by all the AWS regions, or am I missing a configuration? > > Thanks for any pointers. > > All the best, > > Norman > > > -- > Norman Gray : http://nxg.me.uk > SUPA School of Physics and Astronomy, University of Glasgow, UK > > > ____________________ > Racket Users list: > http://lists.racket-lang.org/users ____________________ Racket Users list: http://lists.racket-lang.org/users
