Skip to content

CodeCommit credentials-helper does not endcode url before creating canonical request #9327

New issue
New issue
Closed
Closed
CodeCommit credentials-helper does not endcode url before creating canonical request#9327
Assignees
RyanFitzSimmonsAK
Labels
bugThis issue is a bug.codecommitp2This is a standard priority issue
@vgamz

Description

@vgamz
vgamz
opened on Feb 26, 2025

Describe the bug

CodeCommit's credential-helper is the recommended way to sign the request and pass SigV4 credentials to git protocol requests.
It seems that the cli is not encoding the URL path before creating canonical request. This causes signature mismatch on the service side when there is a special character in the path.

aws-cli/awscli/customizations/codecommit.py

Line 151 in c9deba6

request.url = url_to_sign

Creating SigV4 signed request
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv-create-signed-request.html

Regression Issue

  • Select this option if this issue appears to be a regression.

Expected Behavior

credential-helper should encode the url path before creating canonical request. If adding encoding might be backward incompatible the cli can take in it as a parameter.

Current Behavior

As the url path is currently not encoded, the signature computed at the service does not match the signature in the request.

Reproduction Steps

git clone https://codeconnections/account/specialCharacterInPath
request fails

Possible Solution

No response

Additional Information/Context

No response

CLI version used

2

Environment details (OS name and version, etc.)

Mac OS 15

Metadata

Metadata

Assignees

Labels

bugThis issue is a bug.codecommitp2This is a standard priority issue

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions