fb-share
Contact Us menu-bars menu-close

Salesforce to Amazon Integration Using Signature Version 4: Part 2

avatar

Tejashree Chavan

April 01, 2015

In my previous post on Salesforce to Amazon integration using Signature Version 4, I had taken you through the process of creating a canonical request, which formed the first step for calculating a signature required for the integration. As promised, I am back with the remaining steps you will need to complete for integrating Salesforce with Amazon.

Step 2: Create a String to Sign

The string to sign will include meta information like algorithm, date, credential scope and the digest that was calculated in step 1. It is calculated as shown below:
Salesforce to Amazon Integration Using Signature Version 4

 

  • Generally, SHA256 algorithm is used for generating digest. For creating a String to Sign, you need to write AWS4-HMAC-SHA256 instead of SHA256
  • Add the request date in ISO8601 Basic format via the x-amz-date header in the YYYYMMDD’T’HHMMSS’Z’ format
  • Credential scope includes date(just date, not date time), the region
  • The service that we are requesting and the terminating string i.e. aws4_request must be in the lowercase. The region and service name strings must be UTF-8 encoded.
  • Finally, append the hashed canonical request that was calculated in the first step using the Hash function mentioned above. Your string to sign will look like:
Salesforce to Amazon Integration Using Signature Version 4

Step 3: Calculate the Signature

For calculating the signature, you need to derive the signing key from AWS secret access key. For deriving the Signing key, you need to create a series of hash-based message authentication codes (HMACs) using HmacSHA256AH algorithm for date, region, service. You can derive the signing key as given in the code snippet below:

Salesforce to Amazon Integration Using Signature Version 4

The sign function used for creating the HMACs is as shown below:

Salesforce to Amazon Integration Using Signature Version 4

After creating the signature as a digest, convert it into a hexadecimal representation using EncodingUtil.convertToHex function. The final signature, after conversion to hex will look something like this:

Salesforce to Amazon Integration Using Signature Version 4

B. Creating a Sign Request

After the signature has been calculated, you need to add it to the query string. Query string will contain the action, the action parameters, and the signing information. This request is known as pre-signed URL and it is calculated as:

Salesforce to Amazon Integration Using Signature Version 4

The following example shows what a request might look like when all the request parameters, including the signing information, are included in query string parameters.

Salesforce to Amazon Integration Using Signature Version 4

Before I sign off…

While integrating Amazon with Salesforce using signature version 4, you need to bear the following in mind:

  1. Date information should be an eight-digit string representing the year (YYYY), month (MM), and day (DD) of the request (e.g., 20120228)
  2. Region information should be a lowercase alphanumeric string
  3. Service name information should be a lowercase alphanumeric string
  4. A special termination string: aws4_request

There! You are now ready to conquer the world, what with both Salesforce and Amazon data at your disposal at a single location, and why not, you have it covered A to Z after all.

Reference: http://docs.aws.amazon.com/general/latest/gr/sigv4_changes.html

Get updates. Sign up for our newsletter.

contact-bg

Let's explore how we can create WOW for you!