Apex Code Development You need to sign in to do that
Don't have an account?
AWS IAM Signature Version 4 and Canonial Request
What am I missing? Can anyone help me out.
I'm integrating Athena to Salesforce. I'm getting error:
Here is my code:
Thanks in advance
I'm integrating Athena to Salesforce. I'm getting error:
[149]|DEBUG|Response Body<?xml version="1.0" encoding="UTF-8"?> USER_DEBUG <Response><Errors><Error><Code>AuthFailure</Code><Message>AWS was not able to validate the provided access credentials</Message></Error></Errors><RequestID>********-****-****-****-*************</RequestID></Response>
Here is my code:
public class AWSHelper {
private string HTTPRequestMethod ='GET';
private string canonicalURI = '/' ; //since we dont have any path
private string canonicalQueryString= 'Action=DescribeRegions&Version=2015-10-01' ;
private string canonicalHeaders ;
private string signedHeaders ;
private string requestPayload;
private string access_key ='********************';
private string secret_key ='****************************************';
private string service = 'iam';
private string contentType = 'application/x-www-form-urlencoded; charset=utf-8';
private string host = 'iam.amazonaws.com';
private string region = 'us-east-1';
private string endpoint = 'https://iam.amazonaws.com';
private string request_parameters = 'Action=DescribeRegions&Version=2015-10-01&AUTHPARAMS' ;
// Version Dates for Different Services:-
// Athena Version=2017-05-18, EC2 Version=2015-10-01, IAM Version=2012-10-17
private string canonical_request ;
private string algorithm = 'AWS4-HMAC-SHA256';
public string getISO8601DateTime(){
return System.now().formatGMT('YYYYMMdd\'T\'HHmmss\'Z\'');
//+ ' !!============!! ------ > '+ System.now().formatGMT('yyyyMMdd\'T\'HHmmss\'Z\'');
}
public string getISO8601Date(){
return System.now().formatGMT('YYYYMMdd');
//+ ' !!============!! ------ > '+ System.now().formatGMT('yyyyMMdd\'T\'HHmmss\'Z\'');
}
public string payLoad(string payload){
// in case of GET request we have empty payload
Blob hash = Crypto.generateDigest('sha256',Blob.valueOf(payload));
return EncodingUtil.convertToHex(hash);
}
public Blob sign(Blob key, string message){
string algorithm='HmacSHA256';
Blob output=Crypto.generateMac(algorithm, Blob.valueof(message), key);
return output;
}
public void buildCanonicalString()
{
Blob key=Blob.valueof('AWS4'+secret_key);
// TASK 1
canonicalHeaders='content-type:' + contentType + '\n' + 'host:' + host + '\n' + 'x-amz-date:' + getISO8601DateTime() + '\n';
signedHeaders='content-type;host;x-amz-date';
canonical_request=HTTPRequestMethod + '\n' + canonicalURI + '\n' +
canonicalQueryString+ '\n' +canonicalHeaders +'\n' +signedHeaders +'\n' + payload('');
System.debug('canonical_request-->'+canonical_request);
// string hmac='SHA-256';
Blob targetBlob = Blob.valueOf(canonical_request);
Blob hash = Crypto.generateDigest('SHA-256', targetBlob); //using SHA-256
Blob hash2 = Crypto.generateMac('hmacSHA256', targetBlob, key); //using hmacSHA256
String canonical_request_hash = EncodingUtil.convertToHex(hash);
String canonical_request_hash2 = EncodingUtil.convertToHex(hash2);
System.debug('canonical_request_hash---->'+canonical_request_hash);
System.debug('canonical_request_hash2---->'+canonical_request_hash2);
// TASK2
string credential_scope = getISO8601Date() + '/' + 'us-east-1' + '/' + 'ec2' + '/' + 'aws4_request\n';
string stringToSign=algorithm + '\n' + getISO8601DateTime() + '\n' + credential_scope + '\n' + canonical_request_hash2;
System.debug('stringToSign--->'+stringToSign);
// task 3 Calculate the AWS Signature Version 4
Blob keySecret = Blob.valueOf('AWS4' + secret_key);
Blob keyDate = Crypto.generateMac('hmacSHA256', Blob.valueOf(getISO8601Date()), keySecret);
Blob keyRegion = Crypto.generateMac('hmacSHA256', Blob.valueOf(region), keyDate);
Blob keyService = Crypto.generateMac('hmacSHA256', Blob.valueOf(service), keyRegion);
Blob keySigning = Crypto.generateMac('hmacSHA256', Blob.valueOf('aws4_request'), keyService);
// string keysigningstring = EncodingUtil.convertToHex(keySigning);
Blob blobToSign = Blob.valueOf(stringToSign); // from task 2
Blob hmac = Crypto.generateMac('hmacSHA256', blobToSign, keySigning);
String signature = EncodingUtil.convertToHex(hmac);
/* Blob blobToSign = Blob.valueOf(stringToSign);
Blob blobToSignhmac = Crypto.generateMac('hmacSHA256', keySigning, blobToSign);
String signature = EncodingUtil.convertToHex(blobToSignhmac);
*/
// Task 3 Calculate Signature
//Blob signing_key =getSignatureKey (secret_key, getISO8601Date(), region, service);
//Blob signature=sign(signing_key,stringToSign);
//string finalSignature=EncodingUtil.convertToHex(signature).toLowerCase();
// Task 4 Add Signining Information to Header
String authorization = 'AWS4-HMAC-SHA256'
+ ' ' + 'Credential=' + access_key + '/' + credential_scope
+ ', ' + 'SignedHeaders=' + signedHeaders
+ ', ' + 'Signature=' + signature
;
system.debug('authorization----->'+authorization);
system.debug('getISO8601Date----->'+getISO8601Date());
HttpRequest req = new HttpRequest();
string endpoint= endpoint+'?'+canonicalQueryString +
'&X-Amz-Algorithm=AWS4-HMAC-SHA256&'+
'&X-Amz-Credential='+EncodingUtil.urlEncode((access_key + '/' + credential_scope), 'UTF-8')+
+'&X-Amz-Date='+getISO8601Date()+
'&X-Amz-Expires=60'+
'&X-Amz-SignedHeaders='+signedHeaders+
'&X-Amz-Signature='+signature+
'&AWSAccessKeyId='+access_key;
req.setEndpoint(endpoint); // Use authorization_header or querystring
req.setMethod(HTTPRequestMethod);
// req.setHeader('Authorization', authorization);
req.setHeader('content-type' , contentType);
//req.setHeader('host','iam.amazonaws.com');
//req.setHeader('x-amz-date',getISO8601Date());
// req.setHeader('X-Amz-Credential',access_key+'/'+getISO8601Date()+'/us-east-1/s3/aws4_request');
// req.setHeader('X-Amz-Date',getISO8601Date());
//req.setHeader('x-Amz-Host',host);
// req.setHeader('X-Amz-Expires','604678');
// req.setHeader('X-Amz-SignedHeaders','host');
// req.setHeader('x-amz-content-sha256', 'UNSIGNED-PAYLOAD');
// req.setHeader('X-Amz-Signature',finalSignature);
// Http ht = new Http();
HttpResponse res = new Http().send(req);
system.debug('endpoint'+endpoint);
System.debug('Response Body'+res.getBody());
//System.debug('Status'+res.getStatus());
}
}
Thanks in advance
Sorry for this issue you are facing.
May I suggest you please refer to below link with a similar discussion which might help you further.
- https://salesforce.stackexchange.com/questions/115139/aws-signature-version-4-iam-authorization
Hope this helps.Kindly mark this as solved if the reply was helpful.
Thanks,
Nagendra
I tried that link and getting this error:
Thanks for replying