topic Re: Issue with aws.generate_signature method in Workato Pros Discussion Board

Issue with aws.generate_signature method

gary1 — Wed, 19 Jul 2023 00:28:46 GMT

We're using the aws.generate_signature method and we're finding that no matter what input we provide, it always generates the same 20-character credential at the beginning of the Authorization value starting with "Credential=AKIAJ4UK...". This value doesn't match any of our credentials or input into the method, so we have no idea where it's originating.

We've tried the method in a connector with real and junk credentials, and we've tried this in a Ruby recipe action using completely junk input. We've also tried in different Workato accounts. In all cases, it generates the exact same value, leading us to believe that the method is buggy and the "AKIA" value is a hardcoded fallback.

We also ran the same exact code in Visual Studio using the Workato Ruby SDK Gem and it worked perfectly.

We're stumped! Has anyone had experience using this method successfully?

Re: Issue with aws.generate_signature method

marlon-muela — Thu, 20 Jul 2023 08:05:15 GMT

Hi Gary,
Have you checked the documentation for aws.generate_signature Ruby Method for connector SDK?
https://docs.workato.com/developing-connectors/sdk/sdk-reference/ruby_methods.html#aws-generate-signature

You may also check the guide for AWS Service Authentication: https://docs.workato.com/developing-connectors/sdk/guides/authentication/aws_auth.html#sample-connector-generic-connector

If you found a bug with the method, please raise a support ticket. Thank you!

Re: Issue with aws.generate_signature method

gary1 — Thu, 20 Jul 2023 19:50:21 GMT

Hi Marlon, we've gone through all of the available documentation. Like I mentioned, our code is working fine in Visual Studio using the Ruby SDK Gem https://docs.workato.com/developing-connectors/sdk/cli/guides/getting-started.html

The same code does not work directly in the Workato SDK, or in the Workato Ruby action.

Here's an example of using the method in a Ruby action with 100% junk data. We're not passing any arguments into this action, and there is no connection object -- yet it still provides the same access key value! It must be hardcoded into the method.

Re: Issue with aws.generate_signature method

marlon-muela — Fri, 21 Jul 2023 02:50:07 GMT

Have you tried passing it as a hash on your connector code for generating aws signature?

Re: Issue with aws.generate_signature method

gary1 — Fri, 21 Jul 2023 03:09:10 GMT

Thanks for checking back in. We were able to resolve this by passing the values encoded as a hash instead of an object.

Although we're now able to proceed, there is still a security concern that a Workato AWS access key is somehow getting exposed by error. We learned today that keys starting with "AKIA" are permanent access keys. Considering how consistent this value is being exposed (across tenants, in the SDK, in recipe actions), this warrants further review by Workato.

I'm not going to chase this down further with Workato, but I'll restate the issue one more time: when passing an incorrect "connection" value to aws.generate_signature, the response includes what may be a permanent access key.

If the aws.generate_signature method does not receive the expected input in the expected format, it should probably throw an error. Based on our testing, it appears the method has zero error checking.

Re: Issue with aws.generate_signature method

meghan-legaspi — Tue, 25 Jul 2023 12:58:11 GMT

Hi @gary1, thank you for calling this out. I've forwarded to our team so we can dive deeper into this.

Re: Issue with aws.generate_signature method

mab893 — Fri, 18 Apr 2025 22:56:15 GMT

This corresponds to an identity in the Workato account: arn:aws:iam::353360065216:user/rba-production

This is shown by running the following action:

test_aws_connection: { title: 'Test AWS Access', execute: ->(connection, input) { puts "Test: Connection config:" puts connection test_signature = aws.generate_signature( connection: connection, path: "/", method: "GET", service: 'sts', region: connection['region'], params: { Action: 'GetCallerIdentity', Version: '2011-06-15' } ) url = test_signature[:url] headers = test_signature[:headers] response = get(url).headers(headers).response_format_json { body: response } } }

Re: Issue with aws.generate_signature method

mab893 — Mon, 21 Apr 2025 15:14:40 GMT

I was able to get it to work and assume a role by adding the aws_assume_role field in connection.fields. This is similar to the sample connection but without the aws_auth_type definitions and conditionals.

{ title: "Basic AWS Role Connector", connection: { fields: [ { name: "aws_assume_role", label: "IAM role ARN", optional: false, }, { name: "aws_region", optional: false, hint: "AWS service region. If your account URL is <b>https://eu-west-1.console.s3.amazon.com</b>, use <b>eu-west-1</b> as the region." } ], authorization: { type: "custom_auth" } }, test: lambda do |connection| call(:test_aws_connection, connection) end, methods: { test_aws_connection:->(connection) { puts "Test: Connection config:" puts connection test_signature = aws.generate_signature( connection: connection, path: "/", method: "GET", service: 'sts', region: connection['aws_region'], params: { Action: 'GetCallerIdentity', Version: '2011-06-15' } ) url = test_signature[:url] headers = test_signature[:headers] puts "Test: Headers:" puts headers ## Outputs sensitive information response = get(url).headers(headers).response_format_json } } }