[Koha] Amazon Secret key used to generate digital signature

mcmlists at people.net.au mcmlists at people.net.au
Sun Feb 14 15:33:19 NZDT 2010 

Hi Nicole,

Further to my last post, I should have quoted this Koha FAQ,
http://koha.org/documentation/faq/why-do-i-need-a-awsprivatekey-for-amazon-content/?searchterm=secret
which states that the Private Access Key and 
Secret key are the same.  I assumed you had written the FAQ.


Why do I need a AWSPrivateKey for Amazon Content?

<http://koha.org/documentation/faq>Up to Table of Contents

This FAQ applies to: 3.2
Why do I need the AWSPrivateKey as well as the 
AWSAccessKeyID to use Amazon Content?

After 2009-08-15, Amazon Web Services will expect 
that all requests to the Product Advertising API, 
which is what Koha uses for retrieving reviews 
and other enhanced content from Amazon, include 
signatures.  This patch and subsequenct patches implement this functionality.

What this means in practice (assuming the user 
has elected to use any enhanced content from Amazon) is that
    * The user must get a Amazon Secret Access 
Key.  This can be done by logging in to the 
user's AWS account at (e.g.) 
<http://aws.amazon.com/>http://aws.amazon.com/, 
going to the 'Access Identifiers' page, and from 
there retrieving and/or creating a new Secret Access Key.
    * The contents of the Secret Access Key 
should then be entered into the new AWSPrivateKey system preference.

Once that is done, grabbing reviews and table of 
contents from Amazon should work as normal.  If 
the user doesn't do this before 2009-08-15, 
reviews and TOCs will no longer be supplied from 
Amazon, although there should be no crashes - the 
content will simply not show up.

Note that the requirement to sign requests does 
*NOT* appear to apply to simply displaying book covers from Amazon.

END OF QUOTE FROM FAQ.

This won't be so simple to implement because the 
Secret key is long and complex and can't be cut 
and pasted from the Amazon site into the Koha system prefs.

Presumably the patch for 3.2 uses the Secret Key 
to create a digital signature, as described in the following
Amazon description of access keys at
http://docs.amazonwebservices.com/AWSSecurityCredentials/1.0/AboutAWSCredentials.html#AccessKeys 

    * Secret Access Key­Each Access Key ID has a 
Secret Access Key associated with it. This key is 
just a long string of characters (and not a file) 
that you use to calculate the digital signature 
that you include in the request. Your Secret 
Access Key is a secret, and only you and AWS 
should have it. Don't e-mail it to anyone, 
include it any AWS requests, or post it on the 
AWS Discussion Forums. No authorized person from 
AWS will ever ask for your Secret Access Key.
When you create a request, you create a digital 
signature with your secret key and include it in 
the request along with your Access Key ID. When 
we get the request, we use your Access Key ID to 
look up the corresponding Secret Access Key. We 
use the key to validate the signature and confirm 
that you're the request sender.

END OF QUOTE FROM AMAZON SITE.

Mike Mason

Earlier today, I wrote:
------------------------------------------------
My statement that "what we call the Amazon 
private key is really the Amazon Secret Access 
Key" was based on the following: I have just set 
up my Amazon associate ID and AWS access keys in 
Amazon, and the site described two keys as 
follows: (this is cut and pasted from Amazon's 
Associates' "Manage your account" page:)
You will need access identifiers to call the 
Product Advertising API, authenticate requests 
and identify yourself as the sender of a request. 
Two types of identifiers are available: AWS 
Access Key Identifiers (Public and Secret Keys) and X.509 Certificates.

The site guides you to set up the Public and 
Secret keys.  It does not mention a "Private 
key".  So I assumed that what you referred to in 
the 3.2 manual as a "Private Key" was meant to 
indicate Amazon's "Secret Key". But perhaps you had something else in mind?

Unfortunately I can't test this as I'm on 
Liblime's Koha Express, which is still back in 
Koha 3.00.02.012 and has no system preference 
entries for Amazon reviews or for the Secret/Private key.

Mike Mason

At Sunday 14/02/2010, you wrote:
>Hi all,
>
>I want to confirm that what we call the Amazon private key is really
>the Amazon Secret Access Key.  If so I want to update the language in
>the manual and the sys prefs page -but I want to be sure before I do
>that.
>
>Nicole
>_______________________________________________
>Koha mailing list
>Koha at lists.katipo.co.nz
>http://lists.katipo.co.nz/mailman/listinfo/koha
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.katipo.co.nz/pipermail/koha/attachments/20100214/cbc5c7ce/attachment.htm

More information about the Koha mailing list