[Koha] Amazon Secret key used to generate digital signature

Nicole Engard nengard at gmail.com
Mon Feb 15 14:42:06 NZDT 2010


Mike, I've written so much I can't remember it all :)

That said - I was able to copy and paste my secret key today using
Firefox -- so I'm not sure what you mean about not being able to
copy/paste.

Nicole

On Sat, Feb 13, 2010 at 9:33 PM,  <mcmlists at people.net.au> wrote:
> Hi Nicole,
>
> Further to my last post, I should have quoted this Koha FAQ,
> http://koha.org/documentation/faq/why-do-i-need-a-awsprivatekey-for-amazon-content/?searchterm=secret
> which states that the Private Access Key and Secret key are the same.  I
> assumed you had written the FAQ.
>
> Why do I need a AWSPrivateKey for Amazon Content?
>
> Up to Table of Contents
>
> This FAQ applies to: 3.2
> Why do I need the AWSPrivateKey as well as the AWSAccessKeyID to use Amazon
> Content?
>
> After 2009-08-15, Amazon Web Services will expect that all requests to the
> Product Advertising API, which is what Koha uses for retrieving reviews and
> other enhanced content from Amazon, include signatures.  This patch and
> subsequenct patches implement this functionality.
>
> What this means in practice (assuming the user has elected to use any
> enhanced content from Amazon) is that
>
> The user must get a Amazon Secret Access Key.  This can be done by logging
> in to the user's AWS account at (e.g.) http://aws.amazon.com/, going to the
> 'Access Identifiers' page, and from there retrieving and/or creating a new
> Secret Access Key.
> The contents of the Secret Access Key should then be entered into the new
> AWSPrivateKey system preference.
>
> Once that is done, grabbing reviews and table of contents from Amazon should
> work as normal.  If the user doesn't do this before 2009-08-15, reviews and
> TOCs will no longer be supplied from Amazon, although there should be no
> crashes - the content will simply not show up.
>
> Note that the requirement to sign requests does *NOT* appear to apply to
> simply displaying book covers from Amazon.
>
> END OF QUOTE FROM FAQ.
>
> This won't be so simple to implement because the Secret key is long and
> complex and can't be cut and pasted from the Amazon site into the Koha
> system prefs.
>
> Presumably the patch for 3.2 uses the Secret Key to create a digital
> signature, as described in the following
> Amazon description of access keys at
> http://docs.amazonwebservices.com/AWSSecurityCredentials/1.0/AboutAWSCredentials.html#AccessKeys
>
> Secret Access Key­Each Access Key ID has a Secret Access Key associated with
> it. This key is just a long string of characters (and not a file) that you
> use to calculate the digital signature that you include in the request. Your
> Secret Access Key is a secret, and only you and AWS should have it. Don't
> e-mail it to anyone, include it any AWS requests, or post it on the AWS
> Discussion Forums. No authorized person from AWS will ever ask for your
> Secret Access Key.
>
> When you create a request, you create a digital signature with your secret
> key and include it in the request along with your Access Key ID. When we get
> the request, we use your Access Key ID to look up the corresponding Secret
> Access Key. We use the key to validate the signature and confirm that you're
> the request sender.
>
> END OF QUOTE FROM AMAZON SITE.
>
> Mike Mason
>
> Earlier today, I wrote:
> ------------------------------------------------
> My statement that "what we call the Amazon private key is really the Amazon
> Secret Access Key" was based on the following: I have just set up my Amazon
> associate ID and AWS access keys in Amazon, and the site described two keys
> as follows: (this is cut and pasted from Amazon's Associates' "Manage your
> account" page:)
> You will need access identifiers to call the Product Advertising API,
> authenticate requests and identify yourself as the sender of a request. Two
> types of identifiers are available: AWS Access Key Identifiers (Public and
> Secret Keys) and X.509 Certificates.
>
> The site guides you to set up the Public and Secret keys.  It does not
> mention a "Private key".  So I assumed that what you referred to in the 3.2
> manual as a "Private Key" was meant to indicate Amazon's "Secret Key". But
> perhaps you had something else in mind?
>
> Unfortunately I can't test this as I'm on Liblime's Koha Express, which is
> still back in Koha 3.00.02.012 and has no system preference entries for
> Amazon reviews or for the Secret/Private key.
>
> Mike Mason
>
> At Sunday 14/02/2010, you wrote:
>
> Hi all,
>
> I want to confirm that what we call the Amazon private key is really
> the Amazon Secret Access Key.  If so I want to update the language in
> the manual and the sys prefs page -but I want to be sure before I do
> that.
>
> Nicole
> _______________________________________________
> Koha mailing list
> Koha at lists.katipo.co.nz
> http://lists.katipo.co.nz/mailman/listinfo/koha


More information about the Koha mailing list