Systematic Community

gary1 · ‎07-18-2023

We're using the aws.generate_signature method and we're finding that no matter what input we provide, it always generates the same 20-character credential at the beginning of the Authorization value starting with "Credential=AKIAJ4UK...". This value doesn't match any of our credentials or input into the method, so we have no idea where it's originating.

We've tried the method in a connector with real and junk credentials, and we've tried this in a Ruby recipe action using completely junk input. We've also tried in different Workato accounts. In all cases, it generates the exact same value, leading us to believe that the method is buggy and the "AKIA" value is a hardcoded fallback.

We also ran the same exact code in Visual Studio using the Workato Ruby SDK Gem and it worked perfectly.

We're stumped! Has anyone had experience using this method successfully?

gary1 · ‎07-20-2023

Thanks for checking back in. We were able to resolve this by passing the values encoded as a hash instead of an object.

Although we're now able to proceed, there is still a security concern that a Workato AWS access key is somehow getting exposed by error. We learned today that keys starting with "AKIA" are permanent access keys. Considering how consistent this value is being exposed (across tenants, in the SDK, in recipe actions), this warrants further review by Workato.

I'm not going to chase this down further with Workato, but I'll restate the issue one more time: when passing an incorrect "connection" value to aws.generate_signature, the response includes what may be a permanent access key.

If the aws.generate_signature method does not receive the expected input in the expected format, it should probably throw an error. Based on our testing, it appears the method has zero error checking.

View solution in original post

marlon-muela · ‎07-20-2023

Hi Gary,
Have you checked the documentation for aws.generate_signature Ruby Method for connector SDK?
https://docs.workato.com/developing-connectors/sdk/sdk-reference/ruby_methods.html#aws-generate-sign...

You may also check the guide for AWS Service Authentication: https://docs.workato.com/developing-connectors/sdk/guides/authentication/aws_auth.html#sample-connec...

If you found a bug with the method, please raise a support ticket. Thank you!

gary1 · ‎07-20-2023

Hi Marlon, we've gone through all of the available documentation. Like I mentioned, our code is working fine in Visual Studio using the Ruby SDK Gem https://docs.workato.com/developing-connectors/sdk/cli/guides/getting-started.html

The same code does not work directly in the Workato SDK, or in the Workato Ruby action.

Here's an example of using the method in a Ruby action with 100% junk data. We're not passing any arguments into this action, and there is no connection object -- yet it still provides the same access key value! It must be hardcoded into the method.

marlon-muela · ‎07-20-2023

Have you tried passing it as a hash on your connector code for generating aws signature?

gary1 · ‎07-20-2023

Thanks for checking back in. We were able to resolve this by passing the values encoded as a hash instead of an object.

Although we're now able to proceed, there is still a security concern that a Workato AWS access key is somehow getting exposed by error. We learned today that keys starting with "AKIA" are permanent access keys. Considering how consistent this value is being exposed (across tenants, in the SDK, in recipe actions), this warrants further review by Workato.

I'm not going to chase this down further with Workato, but I'll restate the issue one more time: when passing an incorrect "connection" value to aws.generate_signature, the response includes what may be a permanent access key.

If the aws.generate_signature method does not receive the expected input in the expected format, it should probably throw an error. Based on our testing, it appears the method has zero error checking.

Systematic Community

Issue with aws.generate_signature method