Motivation behind this
I was doing a proof-of-concept on retrieving records from Amazon RDS (Relational Database Service) where I have faced critical challenges in authorization mechanism with AWS Signature version 4 signing process which motivates me to write this post.
Usually, most of the cases I have come across either posting or retrieving files to/from AWS S3. But there can be much more.
Let's start with a use case.
Business has a requirement to view the data in Salesforce where data is maintained in PostgreSQL database. Amazon RDS will host REST based webservice which retrieves the records from PostgreSQL database table. From Salesforce Apex class, it will make a callout to REST based end point and fetch the data as response.
The architecture looks like this:
For this use case, we will concentrate on the Apex part assuming we have an end point to connect to AWS.
We will create a Apex class which makes the callout to the end point.
Flow diagram will look like this.
Flow diagram will show step by step approach of signing process to perform callout.
Broadly, the signing process can be divided into following 4 steps:
Create Canonical Request
Create String to Sign
- Calculate Signature
- Create Request Header and perform callout.
The guidance has been taken from Signature Version 4 Signing Process
Few points to be noted:
Service has been used as 'execute-api'
We can use same code for other HTTP method like, POST, PATCH etc.
For GET method payload should be empty.
Query parameter keys must be sorted.
Algorithm has been used as AWS4-HMAC-SHA256 for signing process.
- Minimal request header parameters to be passed as 'x-api-key', 'x-amz-date', 'Accept'