Bug v6.0.0: `extra_headers` included into signature causing `InvalidSignatureException`

[Roytangrb]

Issue:

pynamodb.exceptions.GetError: Failed to get item: An error occurred (InvalidSignatureException) on request (<...>) on table (...) when calling the GetItem operation: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

when extra_headers configured to have headers used and striped by a proxy

Potential cause

Per documentation https://pynamodb.readthedocs.io/en/stable/settings.html#extra-headers

A dictionary of headers that should be added to every request. This is only useful when interfacing with DynamoDB through a proxy, where headers are stripped by the proxy before forwarding along. Failure to strip these headers before sending to AWS will result in an InvalidSignatureException due to request signing.

PynamoDB/pynamodb/connection/base.py

Lines 334 to 337 in d61d906

	def _before_sign(self, request, **_) -> None:
	if self._extra_headers is not None:
	for k, v in self._extra_headers.items():
	request.headers.add_header(k, v)

@raulmyocu found that request is signed after extra_headers are added in v6.0.0, in older version (v5.5.1 where error is not observed), requests are signed before extra_headers being added.

PynamoDB/pynamodb/connection/base.py

Lines 324 to 329 in 7b60000

	self._sign_request(request)
	prepared_request = self.client._endpoint.prepare_request(request)
	if self._extra_headers is not None:
	prepared_request.headers.update(self._extra_headers)
	if settings.extra_headers is not None:
	prepared_request.headers.update(settings.extra_headers)

Related: #1079