Giters

azavea / django-amazon-ses

A Django email backend that uses Boto3 to interact with Amazon Simple Email Service (SES).

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Need to update the signature version for authentication?

singhravi1 opened this issue · comments

commented

Got this email from AWS today.

Amazon Web Services currently supports Amazon SES API requests that are signed using Signature Version 3 and Signature Version 4 processes. Signature Version 4 further enhances the security around authentication and authorization of Amazon SES customers by using a signing key instead of your secret access key. To improve the security for our customers, beginning October 1, 2020, Amazon Signature Version 3 will be turned off (deprecated) in Amazon SES in favor of Signature Version 4.

Amazon SES customers who are still using Signature Version 3 must migrate to Signature Version 4 by September 30, 2020. After that, Amazon SES will only accept requests that are signed using Signature Version 4. For more information, see Signature Version 4 signing process [1].

What Happens if I Don't Make Updates?

Requests signed with Signature Version 3 that are made after September 30, 2020 will fail to authenticate with Amazon SES. Requesters will see errors stating that the request must be signed with Signature Version 4.

References:
[1] https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html

Will this be handled by boto3 or we'll have to make any change?

commented

Seems like boto3 handles this itself?

Excerpts from AWS signature version 4 signing process,

If you are using one of the AWS SDKs (including the SDK for C++, SDK for Go, SDK for Java, AWS SDK for JavaScript, AWS SDK for .NET, SDK for PHP, SDK for Python (Boto 3), or SDK for Ruby), you do not have to manually perform the steps of deriving a signing key and adding authentication information to a request. The SDKs perform this work for you. You need to manually sign requests only if you are directly making HTTP or HTTPS requests.

commented

This is my understanding as well. Inspecting the API calls in DEBUG mode reveals that Signature Version 4 is being used for interactions with the region I've targeted (us-east-1).

See also: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingAWSSDK.html#specify-signature-version

For all AWS Regions, AWS SDKs use Signature Version 4 by default to authenticate requests. When using AWS SDKs that were released before May 2016, you might be required to request Signature Version 4, as shown in the following table.

Going to close this for now, but please reopen if see any contrary evidence.