AWS Signature Node

AWS Signature is an authentication method that ensures that requests sent to AWS services are secure and come from a trusted source. The signing process protects the data and ensures that only authorized users can access AWS resources. This node allows this signature to be calculated for any AWS service.

How it Works

AWS uses Signature Version 4 to sign requests. This process involves the following steps:

  • Creation of the Canonical String: a standardized version of the HTTP request that includes information such as the HTTP method, URI, headers, and query parameters.
  • Creation of the String to Sign: generated from the canonical string, it includes additional information such as the date and time of the request, the AWS region, and the service to which the request is being made.
  • Generation of the Signature: using the HMAC-SHA256 algorithm, the string to sign is encrypted with a key derived from AWS security credentials (access key and secret key). The result is a signature, which is added to the HTTP request header.

The generated signature is included in the HTTP request header. When the request reaches AWS, the signature is verified to ensure it has not been altered and that it was sent by an authorized user.

Configuration

AWS Signature Node Configuration

  1. AWS Key Secret

    • Description: Your AWS Secret Key configured to access the desired service.

      • Example: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
  2. AWS Region

    • Description: The AWS region where the desired service is located.

      • Example: us-east-1
  3. AWS Service

    • Description: The AWS service to which the request is being made.

      • Example: ce, s3, ec2, lambda, athena, etc.
  4. Request Body

    • Description: The HTTP request body.

      • Example:
      {
        "TimePeriod": {
          "Start": "2017-09-01",
          "End": "2017-10-01"
        },
        "Granularity": "MONTHLY",
        "Filter": {
          "Dimensions": {
            "Key": "SERVICE",
            "Values": [ "Amazon Simple Storage Service" ]
          }
        },
        "GroupBy": [
          {
            "Type": "DIMENSION",
            "Key": "SERVICE"
          },
          {
            "Type": "TAG",
            "Key": "Environment"
          }
        ],
        "Metrics": ["BlendedCost", "UnblendedCost", "UsageQuantity"]
      }
    • Note: For requests that do not have a request body, the value UNSIGNED-PAYLOAD should be used.
  5. Request Method

    • Description: The HTTP method of the request.

      • Example: GET, POST, PUT, DELETE, or PATCH
  6. Request Path

    • Description: The request URI path.

      • Example: /bucket_folder

AWS Signature Node Configuration

  1. Request Headers

    • Description: The HTTP request headers.

      • Example: Content-Type:application/json
    • Note: Include all necessary headers for the request.
  2. Request Query String

    • Description: The HTTP request query string.

      • Example: param1=value1&param2=value2
  3. Request Signed Headers

    • Description: Refers to the list of names of the HTTP request headers. Only the header names should be used, without the values, and they should be written in lowercase, separated by a semicolon (;), and in alphabetical order.

      • Example: host;x-amz-date

Result

As the final step of the configuration, specify the path where the signature will be returned.

AWS Signature Node Configuration

Usage Examples

As an example, we will make a request to the Cost Explorer API. To do this, we declare the request payload with a Mutate node, obtaining the following JSON:

  {
    "TimePeriod": {
      "Start": "2024-06-01",
      "End": "2024-06-03"
    },
    "Granularity": "MONTHLY",
    "Metrics": [
      "BlendedCost",
      "UnblendedCost",
      "UsageQuantity"
    ]
  }

With a Date Node, we capture the current date and save it in the format YYYYMMDDTHHmmss. With another Date Node, we save the current date in the format YYYYMMDD. Both are used in the request headers. With this, we assemble the following JSON with them:

  [
    "content-type:application/x-amz-json-1.1",
    "host:ce.us-east-1.amazonaws.com",
    "x-amz-date:Z",
    "x-amz-target:AWSInsightsIndexService.GetCostAndUsage"
  ]

Then, the values are passed for the node to calculate the Signature:

AWS Signature Node Configuration

We then use the generated signature in the HTTP Request node, obtaining the desired request:

AWS Signature Node Configuration

AWS Signature Node Configuration

Was this page helpful?


Still looking for help? You can also search the WEGnology Forums or submit your question there.