โ07-18-2023 05:28 PM
We're using the aws.generate_signature method and we're finding that no matter what input we provide, it always generates the same 20-character credential at the beginning of the Authorization value starting with "Credential=AKIAJ4UK...". This value doesn't match any of our credentials or input into the method, so we have no idea where it's originating.
We've tried the method in a connector with real and junk credentials, and we've tried this in a Ruby recipe action using completely junk input. We've also tried in different Workato accounts. In all cases, it generates the exact same value, leading us to believe that the method is buggy and the "AKIA" value is a hardcoded fallback.
We also ran the same exact code in Visual Studio using the Workato Ruby SDK Gem and it worked perfectly.
We're stumped! Has anyone had experience using this method successfully?
Solved! Go to Solution.
โ07-20-2023 08:09 PM
Thanks for checking back in. We were able to resolve this by passing the values encoded as a hash instead of an object.
Although we're now able to proceed, there is still a security concern that a Workato AWS access key is somehow getting exposed by error. We learned today that keys starting with "AKIA" are permanent access keys. Considering how consistent this value is being exposed (across tenants, in the SDK, in recipe actions), this warrants further review by Workato.
I'm not going to chase this down further with Workato, but I'll restate the issue one more time: when passing an incorrect "connection" value to aws.generate_signature, the response includes what may be a permanent access key.
If the aws.generate_signature method does not receive the expected input in the expected format, it should probably throw an error. Based on our testing, it appears the method has zero error checking.
โ07-25-2023 05:58 AM
Hi @gary1, thank you for calling this out. I've forwarded to our team so we can dive deeper into this.