AWS4 signature for PUT a file in S3 bucket

Hello community.
I need access to an amazon bucket that is available to me to upload files to but does not belong to me. To access this bucket, the service I use generates all the elements I need to generate an AWS4 signature.
As this bucket does not belong to me, I cannot use the S3 bucket object from make. So I have to send it through an http request object and therefore generate my AWS4 signature and my request in canonical format to sign it.
This is where the problem is:
I can’t seem to generate the correct signature with sha256 from make (I think it’s the binary digest format issue that’s the problem). Does anyone have a solution?

My “test” :
{{sha256(sha256(sha256(sha256(“”“AWS4"” + wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY,20150830") + “,us-east-1”) + “,iam”) + “,”“aws4_request”“”)}}

Doc for aws4 signature : Création d'une demande AWS d'API signée - AWS Identity and Access Management

Hi @GRLD_TAZ ,

We’ve also had to do this for one of our clients and eventually created an external script on a serverless environment (like AWS lambda for example). We trigger the script over HTTP by sending the item which needs to be signed, and get a signed URL back.

hummm. good idea…
what object do you use to trigger over http in make ?

And suddenly the file is sent by the script finally, right?

What exactly do you mean “object” ? We add a webhook in front of the external function, then we trigger it over HTTP in Make.

You can yes. However, we just return a signed URL with the script and then let Make handle it.
The less you build in a dark box (externally or wherever) the better to manage.

2 Likes

You just ensure the signature. Not forwarding the file on the serverless side. OK
Is the “timestamp” included in the signature not a problem suddenly?

bonus: if you have the script at hand, I’m obviously a taker!

Thanks for these tips. I see the principle very well, but I admit discovering the principle of the Serverless component. It’s super interesting. However, I use no-code tools because… I’m not very up to date on the code side. So if it’s possible to have access to the piece of code that makes the principle work, I’m very interested… because I’m trying with the docs… but I’m struggling…
thank you !

Let me check if I can find the code for you @GRLD_TAZ .
But can’t promise anything :smiley:

There are however plenty of topics and documentations within AWS about this.

2 Likes

@GRLD_TAZ We used NodeJS and the AWS library to create the signed URL:

const AWS = require('aws-sdk');
const { accessKeyId, secretAccessKey } = auths.aws

const s3Client = new AWS.S3({
    accessKeyId, 
    secretAccessKey,
    region: "us-east-2"
  });

var params = {Bucket: 'bucket-name', Key: event.body.key};
var url = s3Client.getSignedUrl('getObject', params);
$respond({
  status: 200, 
  body: {
    "url": url
  }
  }
)
console.log('The URL is', url);

This basically creates a signed URL using the AWS library and then responds back with that URL so Make can take care of it.

2 Likes

Many thanks !!!

and you pass the variables in the url that’s it (I discover the code at the same time but I take advantage of your presence on the post :slight_smile: )

1 Like

your AWS lambda is private. Right ?