SignatureDoesNotMatch error in RamRoleArn mode

[QiXingchuan]

Describe the bug

The query will have errors like this after the steampipe service runs for some time.

Error: alicloud_sandbox: SDK.ServerError
ErrorCode: SignatureDoesNotMatch
Recommend: InvalidAccessKeySecret: Please check you AccessKeySecret
Message: Specified signature is not matched with our calculation.

Steampipe version (steampipe -v)

Steampipe v0.23.2

Plugin version (steampipe plugin list)

hub.steampipe.io/plugins/turbot/alicloud@latest | 0.23.0

To reproduce

• config

connection "alicloud_sandbox" {
  plugin = "alicloud"
  regions = ["cn-shanghai"]
  profile = "syncer-test"
}

# .aliyun/config.json
{
	"current": "default",
	"profiles": [
		{
			"name": "syncer-test",
			"mode": "RamRoleArn",
			"access_key_id": "xxx",
			"access_key_secret": "xxx",
			"sts_token": "",
			"sts_region": "",
			"ram_role_name": "syncer-test",
			"ram_role_arn": "acs:ram::xxx:role/syncer-test",
			"ram_session_name": "syncer-test",
			"source_profile": "",
			"private_key": "",
			"key_pair_name": "",
			"expired_seconds": 0,
			"verified": "",
			"region_id": "cn-shanghai",
			"output_format": "json",
			"language": "en",
			"site": "",
			"retry_timeout": 0,
			"connect_timeout": 0,
			"retry_count": 0,
			"process_command": "",
			"credentials_uri": "",
			"oidc_provider_arn": "",
			"oidc_token_file": ""
		}
	],
	"meta_path": ""
}

• steampipe service start
• steampipe query
• Execute query like select * from alicloud_sandbox.alicloud_ecs_instance
• Execute query like select * from alicloud_sandbox.alicloud_ecs_instance after one hour

Expected behavior

The error should not happen.

Additional context

It seems that the credential is expired when this issue happens. This should be renewed internally, rather than throwing an error.

[ParthaI]

Hello @QiXingchuan,

Sorry to hear that you're encountering this issue.

After reviewing it, I’d like to share a few key points for your consideration:

The ALI Cloud SDK previously did not support CLI authentication. We added profile authentication in Steampipe by manually parsing the file located at ~/.aliyun/config.json. However, it seems we may have missed handling session expiration properly. A support request was also raised with the SDK team. For reference, see: aliyun/alibaba-cloud-sdk-go#629.

Recently, they added support for profile authentication in the SDK. I’ve submitted a PR (#456) to address this issue. The updated profile authentication will now use the SDK's built-in mechanism.

The changes in the PR are still in progress, but it would be helpful if you could test it with the PR branch (update-alicloud-sdk) and let us know if the issue is resolved, or if there are any remaining edge cases we need to consider.

Thanks!

[QiXingchuan]

Hi @ParthaI. Thank you for getting back to me so quickly! I tested it with PR #456, and the issue has been resolved.

[QiXingchuan]

Hi @ParthaI. Is there any plan to merge the PR and release it?

[snigdhasambitak]

@ParthaI This is blcoking us from using the alicloud plugin. If you can give us a tentative day when the fixed PR will be merged, it would be great.

[ParthaI]

Apologies for the delay in the review process, @snigdhasambitak. @misraved, could you please review this PR when you get a chance and proceed accordingly? Thank you!

[snigdhasambitak]

@ParthaI we did verify your change and it works. Can you please merge the fixed PR now?