[BUG] AOSS returns InvalidSignature error if request has a body

[robfig]

What is the bug?

opensearch-cli does not sign requests that contain bodies correctly, when used with Amazon OpenSearch Serverless (AOSS).

How can one reproduce the bug?

Steps to reproduce the behavior:

1. Create an AOSS Collection
2. Create a profile to access that collection
3. Make a GET request to that collection to verify the setup, e.g. curl get --path _cat/indices
4. Make a POST request with a body, e.g. POST _aliases (see below)
5. View a "Invalid signature" error

I've tried multiple different API endpoints, so it is not specific to aliases

What is the expected behavior?

Requests with bodies should work.

What is your host/environment?

• OS: Ubuntu
• Plugin version 1.1.0
• OpenSearch version AOSS hosted

Do you have any screenshots?

For example:

# GET WORKS
$ aws-vault exec my-profile -- opensearch-cli -p dev curl get --path _cat/aliases
chatmessages index6 - - - -
chatmessages index5 - - - -

# POST DOES NOT WORK
$ aws-vault exec my-profile -- opensearch-cli -p dev curl post --path _aliases -d '{"actions":[{"remove": {"alias": "chatmessages"}},{"add":{"alias":"chatmessages","index":"chatmessages-robfig-20230222","is_write_index":true}}]}'
{
  "error": {
    "reason": "Customer authentication failed: ResultDetail: { Code=InvalidSignature, Message=Invalid signature, does not match, }",
    "type": "AccessDenied"
  },
  "request-id": "1ca730d5-ce7a-9ad2-926d-8dae23ab1c12",
  "status": 403
}

[wbeckler]

Good catch. It sounds like it needs a client update and a way to specify the service name ("aoss" instead of "es"). What would you suggest could be the right way to specify the service name (e.g., as a flag, as a setting)?