Skip to main content

AWS SigV4 Authorization: Utilize AWS Calls in HTTP Steps

Use AWS SigV4 authorization for secure and automated cloud operations with Torq's custom HTTP request step.

Updated over a week ago

You can easily send authenticated AWS Rest API calls with the Send HTTP request step using the AWS Signature Version 4 (AWS SigV4) authorization option. The credentials required for AWS SigV4 authentication (AWS access key ID and AWS secret access key) can be securely stored in Torq using the AWS REST API integration. Alternatively, you can use the AWS steps integration with AWS CLI to run sts assume-role commands to obtain those credentials dynamically.

There are two ways to use AWS REST APIs with HTTP Steps and SigV4 authentication:

  • Via the AWS REST API integration with user access keys as SigV4 credentials

  • Via the AWS Steps integration to assume an STS role with a AWS CLI Step and then use the provided credentials in subsequent HTTP Steps

Use AWS SigV4 with HTTP steps and the AWS REST API integration

Step one: Create an AWS access key

  1. Open AWS IAM: Sign in to the AWS Management Console and go to IAM.

  2. Select the user: Go to Users and select the relevant user.

  3. Create an access key: Click the Security credentials tab and then Create access key.

    1. Select a use case for your access key and review the suggested alternatives.

    2. Click Next.

    3. (Optional) Add a descriptive tag.

    4. Click Create access key.

  4. Finalize: Copy the access key ID and secret access key to save them for later—you will need them when creating the AWS REST API steps integration in Torq.

Step two: Create an AWS REST API integration in Torq

  1. Navigate to the integration: Go to Build > Integrations > Steps > AWS REST API and click Add Instance.

  2. Configure the integration:

    1. Enter a meaningful name for the instance, such as AWS read only user.

    2. Paste the access key ID you copied from AWS earlier.

    3. Paste the secret access key you copied from AWS earlier.

    4. Click Add.

Step three: Authorize calls with AWS SigV4

Some AWS REST API output is in XML format. Use the Convert to JSON step to convert from XML to JSON.

The following is an example of a workflow that returns EC2 instance details.

  1. Open the workflow: Navigate to Build > Workflows and select the relevant workflow.

  2. Add the Send an HTTP request step: Drag and drop the Send an HTTP request step into the workflow.

  3. Configure the step parameters: Open the HTTP step.

    1. Paste the REST API endpoint URL.

    2. Select the POST call method.

    3. Select AWS SigV4 as the authorization.

    4. For the AWS access key ID parameter, use the workflow context to select the access key ID from the AWS REST API integration instance you created earlier (e.g. {{ $.integrations.aws_read_only_user.access_key_id }}).

    5. For the AWS secret access parameter, use the workflow context to select the secret access key from the AWS REST API integration instance you created earlier (e.g. {{ $.integrations.aws_read_only_user.secret_access_key }}).

    6. For the AWS service parameter, select ec2 from the dropdown menu or from the workflow context.

    7. For the AWS region parameter, select the relevant AWS region from the dropdown menu or from the workflow context.

      1. Some regions need to be included in both the endpoint URL and the selection (e.g. https://s3.amazonaws.com/ works for us-east-1 but fails for mx-central-1, unless the endpoint is updated to https://s3.mx-central-1.amazonaws.com/).

  4. Add the content type: Add the Content type parameter and select application/x-www-urlencoded; charset=utf-8.

  5. Add the version: In the Body section, click + Add Field.

    1. For Name, enter Version.

    2. For Value, enter the version date in the format YYYY-MM-DD.

  6. Add the action: In the Body section, click + Add Field again.

    1. For Name, enter Action.

    2. For Value, enter the CLI command action such as DescribeInstances.

  7. Add the instance ID: In the Body section, click + Add Field again.

    1. For Name, enter a name such as InstanceId.1.

    2. For Value, enter the instance ID such as i-0123456789abcdef0.

  8. (Optional) Add the Convert to JSON step: Drag and drop a Convert to JSON step into the workflow to convert the XML output of the HTTP step to JSON.

  9. Execute the steps: Click Execute to test the steps, and then check the Execution Logs to confirm everything is running as expected.

Use AWS SigV4 with HTTP steps and the AWS CLI integration

AWS CLI steps require an AWS steps integration.

The following is an example of a workflow that returns EC2 instance details.

  1. Set up an AWS steps integration instance: See the guide on creating an AWS steps integration instance.

  2. Open the workflow: Navigate to Build > Workflows and select the relevant workflow.

  3. Assume an STS role: See the guide on configuring a AWS CLI step to run an aws sts assume-role command.

  4. Add the Send an HTTP request step: Drag and drop the Send an HTTP request step into the workflow.

  5. Configure the step parameters: Open the HTTP step.

    1. Paste the call request URL.

    2. Select the POST call method.

    3. Select AWS SigV4 as the authorization.

    4. For the AWS access key ID parameter, use the workflow context to select AccessKeyId from the output of the previous AWS CLI step in which the sts assume-role command was executed.

    5. For the AWS secret access parameter, use the workflow context to select SecretAccessKey from the previous assume role step.

    6. For the AWS service parameter, select ec2 from the dropdown menu or from the workflow context.

    7. For the AWS region parameter, select the relevant AWS region from the dropdown menu or from the workflow context.

      1. Some regions need to be included in both the endpoint URL and the selection (e.g. https://s3.amazonaws.com/ works for us-east-1 but fails for mx-central-1, unless the endpoint is updated to https://s3.mx-central-1.amazonaws.com/).

  6. Add a header to the step: In the Headers section, click + Add.

    1. For Key, enter X-Amz-Security-Token.

    2. For Value, use the workflow context to select SessionToken from the assume role step.

  7. Add the content-type: Add the content-type parameter and select application/x-www-urlencoded; charset=utf-8.

  8. Add the version: In the Body section, click + Add Field.

    1. For Name, enter Version.

    2. For Value, enter the version date in the format YYYY-MM-DD.

  9. Add the action: In the Body section, click + Add Field again.

    1. For Name, enter Action.

    2. For Value, enter DescribeInstances.

  10. Add the instance ID: In the Body section, click + Add Field again.

    1. For Name, enter a name such as InstanceId.1.

    2. For Value, enter the instance ID such as i-0123456789abcdef0.

  11. (Optional) Add the Convert to JSON step: Drag and drop a Convert to JSON step into the workflow to convert the XML output of the HTTP step to JSON.

  12. Execute the steps: Click Execute to test the steps, and then check the Execution Logs to confirm everything is running as expected.

Related Articles
Assume different roles via the "sts assume-role" command in AWS CLI Steps
Amazon Web Services (AWS)
Amazon Security Hub
Orca Security
Configure HTTP Mode Steps Failure
Did this answer your question?