<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z000073FGONCA4Okta Identity EngineWorkflowsAnswered2025-09-14T09:00:41.000Z2021-07-09T11:12:25.000Z2022-01-10T18:37:03.000Z

o365v (o365v) asked a question.

July 9, 2021 at 11:12 AM
Workflows and AWS API

I'm looking at integrating Workflows with AWS but not SSO using the predefined connector.

 

Basically, trying to create a workflow that (using an API call) monitors AWS Organisations but having trouble getting the custom API connector to work. To authenticate AWS it requires a signature to be created by creating a hash of a hash of a hash of a hash using details from the request. Full details here https://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html

 

I've used the HMAC SHA256 card outputting both binary and hex outputs in workflows to try to recreate this but cannot get the correct results from the example data given here https://docs.aws.amazon.com/general/latest/gr/signature-v4-examples.html

 

Has anyone tried to do this and been successful?

 

 

  • 4 answers
  • 872 views

  • bogdan.albu1.533807843639519E12 (Okta, Inc.)

    Hi Ross,

    Hope all is well.

     

    This is Bogdan with Okta support.

     

    I would highly recommend opening a support ticket with us: https://support.okta.com/help/s/cases?language=en_US

     

    And click on Open a Case, personally have not seen much/any luck with the HMAC SHA256 card at all, but opening a ticket can allow us to investigate further more based on your use case.

     

    Cheers,

    Bogdan Albu

    Technical Support Engineer

    Okta Global Customer Care

    Expand Post

  • AdisM.68092 (SeatGeek)

    @o365v (o365v)​ were you able to figure this out. I am trying to figure something out that is similar to this.

     

    Essentially, adding AWS entitlements via the AWS Connector works with all accounts except the main root AWS account. This is a big issue as many places use the root account heavily and we'd want to automate entitlements via Okta.

     

    The setup is already in place, we just need to also be able to push to the root AWS account and not just other sub-accounts.

     

    Thus, since the out of box template doesn't work I am trying to work with the custom API connector.

    Expand Post

  • o365v (o365v)

    Still no solution yet but I have just logged a support call with Okta so will feedback on any progress. I guess the best/easiest solution would be would be a dedicated AWS API Connection within Workflows but can see some complexities around that.

    Not sure how far you have got but some things I have found are that using the calculations described Workflows provides the correct Hex output for the kDate calculation but when changing the digest to Binary the output seems to be a few Octets short.

    Also, using this converter https://www.liavaag.org/English/SHA-Generator/HMAC/ I can generate the correct response and also get the response I'm getting in workflows by changing the key type from Text to Hex.

    Expand Post

    • 119i8 (119i8)

      Hi @o365v (o365v)​ We are trying to create an API connection with our AWS API gateway that would also require us to use AWS Signature v4. were you able to get your setup working? if so I would be interested to know how you did it. and what kind of workflow magic you needed to use to get it working.

This question is closed.
Loading
Workflows and AWS API