AWS Signature Node
AWS Signature is an authentication method that ensures that requests sent to AWS services are secure and come from a trusted source. The signing process protects the data and ensures that only authorized users can access AWS resources. This node allows this signature to be calculated for any AWS service.
How it Works
AWS uses Signature Version 4 to sign requests. This process involves the following steps:
- Creation of the Canonical String: a standardized version of the HTTP request that includes information such as the HTTP method, URI, headers, and query parameters.
- Creation of the String to Sign: generated from the canonical string, it includes additional information such as the date and time of the request, the AWS region, and the service to which the request is being made.
- Generation of the Signature: using the HMAC-SHA256 algorithm, the string to sign is encrypted with a key derived from AWS security credentials (access key and secret key). The result is a signature, which is added to the HTTP request header.
The generated signature is included in the HTTP request header. When the request reaches AWS, the signature is verified to ensure it has not been altered and that it was sent by an authorized user.
Configuration
-
AWS Key Secret
-
Description: Your AWS Secret Key configured to access the desired service.
- Example:
wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
- Example:
-
-
AWS Region
-
Description: The AWS region where the desired service is located.
- Example:
us-east-1
- Example:
-
-
AWS Service
-
Description: The AWS service to which the request is being made.
- Example:
ce,s3,ec2,lambda,athena, etc.
- Example:
-
-
Request Body
-
Description: The HTTP request body.
- Example:
{ "TimePeriod": { "Start": "2017-09-01", "End": "2017-10-01" }, "Granularity": "MONTHLY", "Filter": { "Dimensions": { "Key": "SERVICE", "Values": [ "Amazon Simple Storage Service" ] } }, "GroupBy": [ { "Type": "DIMENSION", "Key": "SERVICE" }, { "Type": "TAG", "Key": "Environment" } ], "Metrics": ["BlendedCost", "UnblendedCost", "UsageQuantity"] } - Note: For requests that do not have a request body, the value
UNSIGNED-PAYLOADshould be used.
-
-
Request Method
-
Description: The HTTP method of the request.
- Example:
GET,POST,PUT,DELETE, orPATCH
- Example:
-
-
Request Path
-
Description: The request URI path.
- Example:
/bucket_folder
- Example:
-
-
Request Headers
-
Description: The HTTP request headers.
- Example:
Content-Type:application/json
- Example:
- Note: Include all necessary headers for the request.
-
-
Request Query String
-
Description: The HTTP request query string.
- Example:
param1=value1¶m2=value2
- Example:
-
-
Request Signed Headers
-
Description: Refers to the list of names of the HTTP request headers. Only the header names should be used, without the values, and they should be written in lowercase, separated by a semicolon (
;), and in alphabetical order.- Example:
host;x-amz-date
- Example:
-
Result
As the final step of the configuration, specify the path where the signature will be returned.
Usage Examples
As an example, we will make a request to the Cost Explorer API. To do this, we declare the request payload with a Mutate node, obtaining the following JSON:
{
"TimePeriod": {
"Start": "2024-06-01",
"End": "2024-06-03"
},
"Granularity": "MONTHLY",
"Metrics": [
"BlendedCost",
"UnblendedCost",
"UsageQuantity"
]
}With a Date Node, we capture the current date and save it in the format YYYYMMDDTHHmmss. With another Date Node, we save the current date in the format YYYYMMDD. Both are used in the request headers. With this, we assemble the following JSON with them:
[
"content-type:application/x-amz-json-1.1",
"host:ce.us-east-1.amazonaws.com",
"x-amz-date:Z",
"x-amz-target:AWSInsightsIndexService.GetCostAndUsage"
]Then, the values are passed for the node to calculate the Signature:
We then use the generated signature in the HTTP Request node, obtaining the desired request:
Was this page helpful?
Still looking for help? You can also search the WEGnology Forums or submit your question there.
