Pre Signed web socket url - Unauthorized URL

[Thekkedath]

I am trying to generate a pre-signed web socket URL to get real time messaging notification for the AWS chime in the frontend as shown here . I planning to get this deployed as separate back end API using lambda. I followed exactly as shown in these examples https://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html but I am getting "unauthorized" error when connecting to this generated URL in the front end. Can any one help me with what needs to be done to generate this pre-signed URL in python? I think I am using the wrong host/service parameters for chime.

import json
import boto3
import urllib.parse
import requests
import uuid
import datetime
import sys, os, base64, datetime, hashlib, hmac
import os

def sign(key, msg):
    return hmac.new(key, msg.encode('utf-8'), hashlib.sha256).digest()

def getSignatureKey(key, dateStamp, regionName, serviceName):
    kDate = sign(('AWS4' + key).encode('utf-8'), dateStamp)
    kRegion = sign(kDate, regionName)
    kService = sign(kRegion, serviceName)
    kSigning = sign(kService, 'aws4_request')
    return kSigning
    

def lambda_handler(event, context):
    method = 'GET'
    algorithm = 'AWS4-HMAC-SHA256'
    service = 'chime'
    host = 'chime.amazonaws.com'
    region = 'us-east-1'

    #Getting the messaging endpoint using boto3
    client = boto3.client('chime',region_name='us-east-1')
    endpoint='wss://'+client.get_messaging_session_endpoint()['Endpoint']['Url']

    user_id=event['queryStringParameters'].get('userId')
    session_id=event['queryStringParameters'].get('sessionId')
    user_id_arn=f'arn:aws:chime:us-east-1:11******:app-instance/03457-*****-412345-b3e4-123444/user/{user_id}'

    access_key=os.environ['access_key']
    secret_key=os.environ['secret_key']

    #Following the steps as shown in the AWS documentation https://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html
    t = datetime.datetime.utcnow()
    amz_date = t.strftime('%Y%m%dT%H%M%SZ')
    datestamp = t.strftime('%Y%m%d')
    credential_scope=urllib.parse.quote(f'{access_key}/{datestamp}/us-east-1/chime/aws4_request', safe='')

    canonical_uri = '/connect'
    payload_hash = hashlib.sha256(('').encode('utf-8')).hexdigest()
    canonical_headers = 'host:' + host + '\n'
    signed_headers = 'host'
    credential_scope=urllib.parse.quote(f'{access_key}/{datestamp}/us-east-1/chime/aws4_request', safe='')

    canonical_querystring=''
    canonical_querystring+='?X-Amz-Algorithm=AWS4-HMAC-SHA256'
    canonical_querystring+=f'&X-Amz-Credential={credential_scope}'
    canonical_querystring += '&X-Amz-Date=' + amz_date
    canonical_querystring += '&X-Amz-SignedHeaders=' + signed_headers
    canonical_querystring += '&X-Amz-Expires=3600'
    canonical_querystring += '&sessionId=' + session_id
    canonical_querystring += '&userArn=' + user_id_arn

    canonical_request = method + '\n' + canonical_uri + '\n' + canonical_querystring + '\n' + canonical_headers + '\n' + signed_headers + '\n' + payload_hash
    hashed_canonical_request=hashlib.sha256(canonical_request.encode('utf-8')).hexdigest()
    string_to_sign = algorithm + '\n' +  amz_date + '\n' +  credential_scope + '\n' +  hashed_canonical_request
    signing_key = getSignatureKey(secret_key, datestamp, region, service)
    signature = hmac.new(signing_key, (string_to_sign).encode("utf-8"), hashlib.sha256).hexdigest()
    canonical_querystring += '&X-Amz-Signature=' + signature
    request_url = endpoint  + canonical_uri+canonical_querystring

    return_dict={'wssUrl':request_url}
    return return dict`
```

[simmkyu]

The Chime SDK for JavaScript has an example of creating a pre-signed URL in JavaScript.

amazon-chime-sdk-js/src/messagingsession/DefaultMessagingSession.ts

Lines 125 to 133 in 327c546

	return this.sigV4.signURL(
	'GET',
	'wss',
	'chime',
	this.configuration.endpointUrl,
	'/connect',
	'',
	queryParams
	);

amazon-chime-sdk-js/src/sigv4/DefaultSigV4.ts

Line 53 in 327c546

signURL(

---

In the JavaScript example:

• The host is set to the endpoint from the getMessagingSessionEndpoint API action, e.g., The host looks like *.ue1.ws-messaging.chime.aws. Could you also use this endpoint for host?

  client.get_messaging_session_endpoint()['Endpoint']['Url']
  

• The service name is chime.
• The generated WebSocket URL looks like the following:

  wss://<node>.ue1.ws-messaging.chime.aws/connect?X-Amz-Algorithm=AWS4-HMAC-SHA256
    &X-Amz-Credential=<credential>
    &X-Amz-Date=20210501T014747Z
    &X-Amz-Expires=10
    &X-Amz-Security-Token=<session-token>
    &X-Amz-SignedHeaders=host
    &X-Amzn-User-Agent=chrome-90
    &X-Amzn-Version=2.8.0
    &sessionId=<session-id>
    &userArn=<app-instance-user-arn>
    &X-Amz-Signature=<signature>
  

Also, ensure that your role policy contains chime:Connect and chime:GetMessagingSessionEndpoint.

[Thekkedath]

Thank you for the quick response. The host I used earlier was the output from chime:GetMessagingSessionEndpoint and when I got this unauthorized error, I tried with the new host which is mentioned in that code.

The suggestions from your side was very helpful and I modified my code accordingly. But even then I am getting the same error as before.

The access_key_id and the secret_key I am using to sign this presigned URL has Admin rights to chime. So I am not sure why I am getting this unauthorized error.

[simmkyu]

Based on your code, I updated the handler with these key changes:

• Encoded the app instance user ID ARN (user_id_arn)
• credential_scope follows the format in the developer guide
• Used quote_plus for X-Amz-Credential
• Included the session_token but it's optional in the Amazon Chime SDK for JavaScript too.

The following handler worked okay using Python 3.7.7.

Could you replace 7 variables with your values and try again?

import json
import boto3
import urllib.parse
import requests
import uuid
import datetime
import sys, os, base64, datetime, hashlib, hmac
import os

def sign(key, msg):
    return hmac.new(key, msg.encode('utf-8'), hashlib.sha256).digest()

def getSignatureKey(key, dateStamp, regionName, serviceName):
    kDate = sign(('AWS4' + key).encode('utf-8'), dateStamp)
    kRegion = sign(kDate, regionName)
    kService = sign(kRegion, serviceName)
    kSigning = sign(kService, 'aws4_request')
    return kSigning
    
def handler():
    # TODO: Replace with your info
    session_id= # <session_id>
    user_id_arn= # <user_id_arn>
    access_key= # <access_key>
    secret_key= # <secret_key>
    session_token= # <session_token>

    # URL works without these query params, but the Amazon Chime SDK for JavaScript appends these params.
    user_agent= # e.g., 'chrome-90'
    sdk_version= # e.g., '2.8.0'

    # Following the steps as shown in the AWS documentation https://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html
    t = datetime.datetime.utcnow()
    amz_date = t.strftime('%Y%m%dT%H%M%SZ')
    datestamp = t.strftime('%Y%m%d')

    # Getting the messaging endpoint using boto3
    client = boto3.client('chime',region_name='us-east-1')
    hostname = client.get_messaging_session_endpoint()['Endpoint']['Url']    

    method = 'GET'
    service = 'chime'
    region = 'us-east-1'
    canonical_uri = '/connect'
    canonical_headers = 'host:' + hostname + '\n'
    signed_headers = 'host'
    algorithm = 'AWS4-HMAC-SHA256'
    credential_scope = datestamp + '/' + region + '/' + service + '/' + 'aws4_request'

    canonical_querystring = ''
    canonical_querystring += 'X-Amz-Algorithm=AWS4-HMAC-SHA256'
    canonical_querystring += '&X-Amz-Credential=' + urllib.parse.quote_plus(access_key + '/' + credential_scope)
    canonical_querystring += '&X-Amz-Date=' + amz_date
    canonical_querystring += '&X-Amz-Expires=3600'
    canonical_querystring += '&X-Amz-Security-Token=' + urllib.parse.quote(session_token, safe='')
    canonical_querystring += '&X-Amz-SignedHeaders=' + signed_headers
    canonical_querystring += '&X-Amzn-User-Agent=' + user_agent
    canonical_querystring += '&X-Amzn-Version=' + sdk_version
    canonical_querystring += '&sessionId=' + urllib.parse.quote(session_id, safe='')
    canonical_querystring += '&userArn=' + urllib.parse.quote(user_id_arn, safe='')

    payload_hash = hashlib.sha256(('').encode('utf-8')).hexdigest()
    canonical_request = method + '\n' + canonical_uri + '\n' + canonical_querystring + '\n' + canonical_headers + '\n' + signed_headers + '\n' + payload_hash
    string_to_sign = algorithm + '\n' +  amz_date + '\n' +  credential_scope + '\n' +  hashlib.sha256(canonical_request.encode('utf-8')).hexdigest()
    signing_key = getSignatureKey(secret_key, datestamp, region, service)
    signature = hmac.new(signing_key, (string_to_sign).encode('utf-8'), hashlib.sha256).hexdigest()
    canonical_querystring += '&X-Amz-Signature=' + signature
    request_url = 'wss://' + hostname + canonical_uri + '?' + canonical_querystring
    return_dict={'wssUrl':request_url}

    return return_dict

[Thekkedath]

Thanks again @simmkyu . I just tried the code after filling in the required values. And I am still getting the same unauthorized error. This is how the front end developer is connecting to the web socket url in the front end const socket = new WebSocket(url.data);. Should we change something in the FE?. Please advice.

[simmkyu]

To test the Python's pre-signed URL, I ran the following code in the browser console and received at least one message event.

var webSocket = new WebSocket(preSignedURL, []);
webSocket.addEventListener('open', () => {
  console.log('open');
});
webSocket.addEventListener('message', (event) => {
  console.log('message with event: ', event);
});
webSocket.addEventListener('close', (event) => {
  console.log('close with event: ', event);
});
webSocket.addEventListener('error', (error) => {
  console.log('error', error);
});

---

I also received the close event with the unauthorized error when I put an invalid user_id_arn in the above Python snippet. Could you ensure that you already created the App Instance User ID under your AWS account?
https://docs.aws.amazon.com/cli/latest/reference/chime/create-app-instance-user.html

For reference, my user_id_arn is in the following shape:

arn:aws:chime:us-east-1:123456789012:app-instance/f568b4fd-cc50-4a70-a88e-fd07351d3c2a/user/custom-user-id

[Thekkedath]

Finally it worked. Thank you very much for your help @simmkyu. The issue with my code was we have to pass the user_id_arn as
arn%3Aaws%3Achime%3Aus-east-1%3A123456789012%3Aapp-instance%2f5abcdefg-cc50-4a70-a88e-fd07351d3c2a%2Fuser%2Fcustom-user-id instead of arn:aws:chime:us-east-1:123456789012:app-instance/f5abcdefg-cc50-4a70-a88e-fd07351d3c2a/user/custom-user-id.

The python code you gave we works when we remove the X-Amzn-User-Agent=' '&X-Amzn-Version=' from the QueryParams. Thank you very much for you help again.