Python: Amazon Web Services (AWS)

Last week I discovered Listen, yet another music player/database written in Python for the Gnome desktop. I tweeted it and I think it looks quite nice; has issues though, so I decided to jump in and fix some stuff. For example the cover fetch from Amazon. Amazon decided to require a signature for each REST request.

I am not sure how this is supposed to work though. From Amazon you get a private and public key after signing up for an AWS account. You use the public key in plain text as a parameter in your request. In addition you now (since August 2009 as it seems) have to add a timestamp and compute a signature key using the whole request string (including that timestamp and your public key) and the private key. Now append that signature as another parameter to the request and send it.

Of course every request will have a different signature because (a) you want to query for different stuff and (b) time changes and the timestamp must be recent or Amazon will consider the request as “old” and not worthy of an answer.

So what do you do now? Include your private key in your Python source, that you put out in a public repository? You probably shouldn’t, but that means the customer (user?) must have it’s own public/private key pair from Amazon. What a major inconvenience for the customer, to be required to have a AWS account just to get some covers.

Anyway, back to Listen. I created a branch of the 0.6 series on Launchpad  (a first for me, still getting used to bzr) and committed the necessary changes to amazon.py in revision 1126. Today I merged changes from the parent 0.6 and therefore that file now contains both public and private key — of someone else, not mine.

By the way, he original amazon.py is from of PyAWS. Unfortunately a later release of PyAWS 0.3 was not uploaded to SourceForge and further changes by others for the signature stuff also never found their way back to the repository. Isn’t open source great? </sarcasm>