Salesforce to Amazon Integration Using Signature Version 4: Part 2
In my previous post on Salesforce to Amazon integration using Signature Version 4, I had taken you through the process of creating a canonical request, which formed the first step for calculating a signature required for the integration. As promised, I am back with the remaining steps you will need to complete for integrating Salesforce with Amazon.
Step 2: Create a String to Sign
- Generally, SHA256 algorithm is used for generating digest. For creating a String to Sign, you need to write AWS4-HMAC-SHA256 instead of SHA256
- Add the request date in ISO8601 Basic format via the x-amz-date header in the YYYYMMDD’T’HHMMSS’Z’ format
- Credential scope includes date(just date, not date time), the region
- The service that we are requesting and the terminating string i.e. aws4_request must be in the lowercase. The region and service name strings must be UTF-8 encoded.
- Finally, append the hashed canonical request that was calculated in the first step using the Hash function mentioned above. Your string to sign will look like:
Step 3: Calculate the Signature
For calculating the signature, you need to derive the signing key from AWS secret access key. For deriving the Signing key, you need to create a series of hash-based message authentication codes (HMACs) using HmacSHA256AH algorithm for date, region, service. You can derive the signing key as given in the code snippet below:
The sign function used for creating the HMACs is as shown below:
After creating the signature as a digest, convert it into a hexadecimal representation using EncodingUtil.convertToHex function. The final signature, after conversion to hex will look something like this:
B. Creating a Sign Request
After the signature has been calculated, you need to add it to the query string. Query string will contain the action, the action parameters, and the signing information. This request is known as pre-signed URL and it is calculated as:
The following example shows what a request might look like when all the request parameters, including the signing information, are included in query string parameters.
Before I sign off…
While integrating Amazon with Salesforce using signature version 4, you need to bear the following in mind:
- Date information should be an eight-digit string representing the year (YYYY), month (MM), and day (DD) of the request (e.g., 20120228)
- Region information should be a lowercase alphanumeric string
- Service name information should be a lowercase alphanumeric string
- A special termination string: aws4_request
There! You are now ready to conquer the world, what with both Salesforce and Amazon data at your disposal at a single location, and why not, you have it covered A to Z after all.