AWS Signature Version 4 Authentication

Introduction

This article provides detailed information about how Appian can connect to services that use the AWS Signature Version 4 authentication. Appian developers can use it to configure integrations with over 100 Amazon Web Services including S3, Comprehend, and Textract using HTTP connected systems.

AWS Configuration

Understanding the AWS Signature Version 4 Signing Process

Appian generates and uses an HTTP Authorization header to sign AWS requests.

The HTTP Authorization method for AWS Signature Version 4 lays out the sequence of steps to sign the AWS requests. There are four main steps in this sequence:

images:aws_auth_sequence_diagram.png

Most of the steps in these sequences are not visible to the user and Appian developers. However, understanding these sequences will help designers troubleshoot problems if they occur.

To learn more about the AWS Signature Version 4 Signing Process, see the AWS documentation

Getting Your AWS Security Credentials

Amazon Web Services use access keys as security credentials to make programmatic calls to AWS API operations. Access keys consist of two parts: the access key ID and the secret access key. You will need both to successfully integrate Appian with AWS using the Signature Version 4 authentication.

If you do not have access to the above AWS security credentials, please contact the administrator for your AWS account.

Appian Configuration

There are several important design considerations when configuring AWS Signature Version 4 authentication.

Parameters Set in the Connected System

The following parameters from the third-party system will need to be entered into the HTTP connected system. Refer to the respective AWS documentation for more information.

Field Description
Access Key ID Required. Amazon uses a custom authentication schema that requires a special signing of the request using an access key, secret access key, and region. The access key id, along with an associated secret access key and region, are used to access Amazon services. Your access key id is the first piece of a set of programmatic credentials that can be generated for Amazon Identity and Access Management (IAM) user accounts.
Secret Key Required. Your secret access key is the second piece of a set of programmatic credentials that can be generated for Amazon IAM user accounts.
Security Token Optional. You can use temporary security credentials provided by the AWS Security Token Service (AWS STS) to authenticate a request by providing an additional Security Token parameter here.
AWS Region Required. Your region is the third piece of a set of programmatic credentials that can be generated for Amazon IAM user accounts. Learn more about the available AWS Regions in the AWS Service Endpoints documentation.
Service Required. The namespace of the Amazon Service you would like to use. Learn more about the available Amazon services and their namespaces in the AWS Resource Name documentation.

Setting up an Integration

Once you have created the HTTP connected system which uses AWS Signature Version 4 authentication, create a new integration which uses the connected system. Below are certain important design considerations to keep in mind.

Automatically Generated Headers

AWS Signature Version 4 authentication requires certain headers to be sent along with your request for successful authentication. For every integration using the AWS Signature Version 4 authentication, apart from the default headers, Appian automatically creates and sends the below headers with each request:

  • Host
  • X-Amz-Date
  • Authorization
  • Signature
  • X-Amz-Content-sha256 (For S3 Service only)

Depending on the Amazon service you are using, you may be required to add more headers to the request. For example, X-Amz-Target for indicating the API action to be performed, for certain services. You can do this in the headers section in the integration. You can find the service specific requirements in the AWS documentation for the service.

FEEDBACK