View Full Version : AWS SES Signature Version 4

31-Mar-2021, 12:28 AM
I've been happily using AWS SES and Chilkat V 9.5.0 to send emails from our Web-sites for the past 2 years. AWS has now changed to using Signature V4 which relies on an IAM user. Has anyone got this working correctly?

From looking at the Com functions, I have included the following lines of code:

// Signature V4
Set ComPrecomputedSha256 of hoAuthAws to C_SES_Password
Set ComSignatureVersion of hoAuthAws to "AWS4"

I am getting the following error when I test with the Chilkat example, on the following line:

Get ComFullRequestFormUrlEncoded of hoRest "POST" "/" to sResponseXml


<ErrorResponse xmlns="http://ses.amazonaws.com/doc/2010-12-01/">
<Message>The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

The Canonical String for this request should have been
x-amz-content-sha256:eda47a4cbba1cd70d2f11e65c5b83bb67905f5e5239 ded38fa1f0b294721fe51

eda47a4cbba1cd70d2f11e65c5b83bb67905f5e5239ded38fa 1f0b294721fe51'

The String-to-Sign should have been
b7d9127f45423f023be8e5206eb882dc590c709d135d8dc3de 69639e5c705842'

I'd be grateful for any suggestions,


31-Mar-2021, 03:42 AM
We are using the REST interface and I have just sent myself a test message an that still seems to be working

I notice you seem to be setting the SignatureVersion to a string. Valid values are 2 or 4

31-Mar-2021, 04:22 AM
this is from a piece of code using AWS SQS

Get Create (RefClass(cComAxChilkatAuthAws)) to hoAuthAWS
Set ComAccessKey of hoAuthAWS to (psAccessKey(Self))
Set ComSecretKey of hoAuthAWS to (psSecretKey(Self))
Set ComRegion of hoAuthAWS to (psRegion(Self))
Set ComServiceName of hoAuthAWS to (psServiceName(Self))

Get ComSetAuthAws of hoRest (pvComObject(hoAuthAWS)) to bSuccess

1-Apr-2021, 12:22 AM
Gentlemen, thanks for your suggestions. I sent a query off to Matt at ChilKat and he has told me that I have version while the first version which has the V4 signing is (September 2020). I am entitled to that under support and he will send me a link to it.


1-Apr-2021, 02:32 AM
Are you sure ?

Something does not quite add up.

Our currently released product uses and I have just sent a message using it fine

For our next but one revision we are testing with

According to Chilkat's own documentation SignatureVersion was introduced in (yes fifty eight) with a default value of 4 (which we have never changed)
AuthAws ActiveX Reference Documentation (chilkatsoft.com) (https://www.chilkatsoft.com/refdoc/xChilkatAuthAwsRef.html#prop15)

According to Amazon docs the stopped supporting signature versions earlier than 4 from 1st Oct 2020
Authenticating requests to the Amazon SES API - Amazon Simple Email Service (https://docs.aws.amazon.com/ses/latest/DeveloperGuide/using-ses-api-authentication.html)

Perhaps we are using something slightly different to you but it does not appear so from what you have posted

Obviously I hope you get it working.

Maybe a gremlin has got into your slightly later version

1-Apr-2021, 07:28 AM
Itís interesting if not confusing. The difference between V2 & V4 is that V4 uses the credentials generated from an IAM identity and has a set of 2 credentials compared to a set of 3 for V2. The email I received told me that after the October deadline, V2 would be throttled rather than blocked. That seems to be the case since our email has continued to operate. Another difference in my case is that I donít use AuthAWS with V2.
Anyway, I will try the same test code with the later version and report what happens.