Amplify-js: Q: API: 403 The request signature we calculated does not match the signature you provided

I'm using aws-amplify-react-native and was running into this issue as well. After digging around for a bit, it appears to be coming from the canonical_request function in Signer.js. (in aws-amplify, it appears to be the same in Signer.ts)
the return statement shows:
return [request.method || '/', url_info.path, .....
however this should be url_info.pathname instead of url_info.path
url_info.path includes the query string along with the path, whereasurl_info.pathname is simply the path by itself.
Also, if your query string has more than one parameter it will throw the same 403 error due to the parameters not being sorted per the signature version 4 specs.
When I sort the parameters and modify the return statement appropriately, my calls are successful

var sorted_query = url_info.query ? url_info.query.split('&').sort((a,b) => a < b ? -1 : 1).join('&') : '';
return [request.method || '/', url_info.pathname, sorted_query, canonical_headers(request.headers), signed_headers(request.headers), hash(request.data)].join('\n');

This helps with GETs. There's still an issue with PUTs though.

Any updates on this? This makes API unusable.

@roosi @ephopper when you pass query string parameters, you need to pass them as part of the init argument object with the queryStringParameters object on the API request. This is because the rest api setup with the cli is a lambda proxy integration:

let items = await API.get('sampleCloudApi', '/items', {
  'queryStringParameters': {
    'test': '1'
  }
});

You can then access them within Lambda on the event["queryStringParameters"]['...']

I'm wondering if anyone working on the aws-amplify code-base has suggestions on this for the aws-mobile-react-native-starter (petfinder). Right now, at least on multiple builds with different variations of the aws-amplify, different JDK versions (most recently: jdk1.8.0_151.jdk, but have tried others), and variations within the package.json, I continue to have 403-errors with an API.post that is using the format in the docs (e.g.: return await API.post(apiName, path, myInit); ) -- I'm happy to add more and/or to try other combinations of versions if there are suggestions.

@twoolf The react native starter has included some changes in awslabs/aws-mobile-react-native-starter#39, in particular to fix the signing process (See #128 and #129)

Please try with the latest versions of both the starter and the aws-amplify-react-native packages and let us know how it goes.

@mlabieniec looks like #127 says this is not supported yet

Added the work around suggested by @ephopper
https://github.com/aws/aws-amplify/pull/190

released the fix

I believe i'm having issues with this topic as well.. How do you access queryStringParameter?, if I remove the extra JSON argument in the call to API.get it works perfect! I'm just trying to figure out if this is indeed a problem with AWS amplify and how i'm sending the JSON parameter. Thank you in advance if you can push me in the correct direction.

My client side code (aws-amplify 0.2.11 ):
return API.get('trips','/days', {'queryStringParameters': {'param1': "99b60260-363c-11e8-b7ca-250a890d0675"}})

My API side code ( using serverless-webpack v 1.6.0, aws sdk v 2.202.0 ) :
serverless.yml file :

listDays:
        handler: listDays.main
        events:
          - http:
              path: days
              method: get
              cors: true
              authorizer: aws_iam

API-javascript listDays.js code trying to access the event, the event.queryStringParameter.param1 just causes an error because it's null:

export async function main(event,context,callback) {

    const params = {
        TableName: "DAYS",

        KeyConditionExpression: "tripId = :tripId",
        ExpressionAttributeValues: {
            ":tripId": event.queryStringParameters.param1
        }
    }

  //console.log(data.tripId)
    try {
        //result will return an array of trips
        const result = await dynamoDbLib.call("query", params)
        callback(null, success(result.Items))
    } catch (e) {
        callback(null, failure({status: false}))
    }
}

@causingchaos2 to use query params depends on how your Lambda is setup i.e. API Gateway lambda proxy. If you are using a standard API Gateway lambda proxy (for example if you've bootstrapped your app with the awsmobile-cli) you will need to update the express backend awsmobilejs/backend/cloud-api/sampleLambda/app.js file with the middleware:

var awsServerlessExpressMiddleware = require('aws-serverless-express/middleware')
app.use(awsServerlessExpressMiddleware.eventContext())

Then within your request:

app.get('/items', function(req, res) {
  // req.apiGateway.event.queryStringParameters
  res.json(req.apiGateway.event)
});

From the client you would just pass as usual:

API.get('sampleCloudApi', '/items?q=test');

Sorry to ping a dead issue but I'm just starting out with AWS Amplify on a fresh reach native project (but i'm not new to AWS overall though). I started a fresh RN project, installed and set up the amplify-cli including creating my IAM user. I then simply ran amplify init and immediately got this error. Any advice on how to troubleshoot? Thank you in advance!

Here's the error after amplify init ran:

Stephens-MacBook-Pro-2:wayward stephentetreault$ amplify init
Note: It is recommended to run this command from the root of your app directory
? Choose your default editor: Visual Studio Code
? Choose the type of app that you're building javascript
Please tell us about your project
? What javascript framework are you using react-native
? Source Directory Path:  /
? Distribution Directory Path: /
? Build Command:  npm run-script build
? Start Command: npm run-script start

Using default provider awscloudformation

For more information on AWS Profiles, see:
https://docs.aws.amazon.com/cli/latest/userguide/cli-multiple-profiles.html

? Do you want to use an AWS profile? Yes
? Please choose the profile you want to use stephen-amplify
⠼ Initializing project in the cloud...An error occurred when creating the CloudFormation stack
✖ Root stack creation failed
init failed

{ SignatureDoesNotMatch: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
message:
   'The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.',
  code: 'SignatureDoesNotMatch',
  time: 2019-02-10T21:50:29.594Z,
  requestId: 'e1e9fa28-2d7d-11e9-9bba-0d7e5eb043f9',
  statusCode: 403,
  retryable: false,
  retryDelay: 13.697091893611656 }

An error occurred when  creating the CloudFormation stack

nevermind, something really freaky mustve occurred when I made the amplify user. I see in .aws/credentials after the key it for some reason appended the characters " Hide"... no clue how that happened. Any ideas? Either way, amplify init is working now that I've removed that.

I have a similar issue. I generated access key and secret access key id and configured it using aws configure and ran amplify -init after that; however it is posting signature mismatch error. I had read from other posts and made the secret access key without the '/' sign but it does not work. Following is the log.
root@wynud7-Inspiron-15-3567:~/AndroidStudioProjects/sudoku2# amplify init
Note: It is recommended to run this command from the root of your app directory
? Enter a name for the project sudoku2
? Enter a name for the environment android
? Choose your default editor: IntelliJ IDEA
? Choose the type of app that you're building android
Please tell us about your project
? Where is your Res directory: /home/wynud7/AndroidStudioProjects/sudoku2/app/s
rc/main/res/
Using default provider awscloudformation

For more information on AWS Profiles, see:
https://docs.aws.amazon.com/cli/latest/userguide/cli-multiple-profiles.html

? Do you want to use an AWS profile? Yes
? Please choose the profile you want to use default
init failed
InvalidSignatureException: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

The Canonical String for this request should have been
'POST
/apps

host:amplify.us-east-2.amazonaws.com
x-amz-content-sha256:f575beb7fd554b765c5c31946384189052c43169fa9e58a33f48db1691cd6b62
x-amz-date:20200405T140501Z

host;x-amz-content-sha256;x-amz-date
f575beb7fd554b765c5c31946384189052c43169fa9e58a33f48db1691cd6b62'

The String-to-Sign should have been
'AWS4-HMAC-SHA256
20200405T140501Z
20200405/us-east-2/amplify/aws4_request
8a2f322d388fcdf316aaeee1ca1bf20b541324ced60952ca66b386e1f6e2f2c4'

at Object.extractError (/usr/local/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/protocol/json.js:51:27)
at Request.extractError (/usr/local/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/protocol/rest_json.js:55:8)
at Request.callListeners (/usr/local/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/usr/local/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/usr/local/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/request.js:683:14)
at Request.transition (/usr/local/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/usr/local/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /usr/local/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/usr/local/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/usr/local/lib/node_modules/@aws-amplify/cli/node_modules/aws-sdk/lib/request.js:685:12) {

message: 'The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.\n' +
'\n' +
'The Canonical String for this request should have been\n' +
"'POST\n" +
'/apps\n' +
'\n' +
'host:amplify.us-east-2.amazonaws.com\n' +
'x-amz-content-sha256:f575beb7fd554b765c5c31946384189052c43169fa9e58a33f48db1691cd6b62\n' +
'x-amz-date:20200405T140501Z\n' +
'\n' +
'host;x-amz-content-sha256;x-amz-date\n' +
"f575beb7fd554b765c5c31946384189052c43169fa9e58a33f48db1691cd6b62'\n" +
'\n' +
'The String-to-Sign should have been\n' +
"'AWS4-HMAC-SHA256\n" +
'20200405T140501Z\n' +
'20200405/us-east-2/amplify/aws4_request\n' +
"8a2f322d388fcdf316aaeee1ca1bf20b541324ced60952ca66b386e1f6e2f2c4'\n",
code: 'InvalidSignatureException',
time: 2020-04-05T23:34:37.677Z,
requestId: '82726e41-f7c8-4709-a9b8-0be5d74933f3',
statusCode: 403,
retryable: true
}

@monika2104yadav I am running into the exact error you posted. Did you find a resolution?