Wednesday 1 April 2015

Salesforce to Amazon Integration Using Signature Version 4: Part 2

In my previous post on Salesforce to Amazon integration using Signature Version 4, I had taken you through the process of creating a canonical request, which formed the first step for calculating a signature required for the integration. As promised, I am back with the remaining steps you will need to complete for integrating Salesforce with Amazon.

Step 2: Create a String to Sign

The string to sign will include meta information like algorithm, date, credential scope and the digest that was calculated in step 1. It is calculated as shown below:

  • Generally, SHA256 algorithm is used for generating digest. For creating a String to Sign, you need to write AWS4-HMAC-SHA256 instead of SHA256
  • Add the request date in ISO8601 Basic format via the x-amz-date header in the YYYYMMDD'T'HHMMSS'Z' format
  • Credential scope includes date(just date, not date time), the region
  • The service that we are requesting and the terminating string i.e. aws4_request must be in the lowercase. The region and service name strings must be UTF-8 encoded.
  • Finally, append the hashed canonical request that was calculated in the first step using the Hash function mentioned above. Your string to sign will look like:

Step 3: Calculate the Signature

For calculating the signature, you need to derive the signing key from AWS secret access key. For deriving the Signing key, you need to create a series of hash-based message authentication codes (HMACs) using HmacSHA256AH algorithm for date, region, service. You can derive the signing key as given in the code snippet below:

The sign function used for creating the HMACs is as shown below:

After creating the signature as a digest, convert it into a hexadecimal representation using EncodingUtil.convertToHex function. The final signature, after conversion to hex will look something like this:

B. Creating a Sign Request

After the signature has been calculated, you need to add it to the query string. Query string will contain the action, the action parameters, and the signing information. This request is known as pre-signed URL and it is calculated as:

The following example shows what a request might look like when all the request parameters, including the signing information, are included in query string parameters.

Before I sign off…

While integrating Amazon with Salesforce using signature version 4, you need to bear the following in mind:
  1. Date information should be an eight-digit string representing the year (YYYY), month (MM), and day (DD) of the request (e.g., 20120228)
  2. Region information should be a lowercase alphanumeric string
  3. Service name information should be a lowercase alphanumeric string
  4. A special termination string: aws4_request

There! You are now ready to conquer the world, what with both Salesforce and Amazon data at your disposal at a single location, and why not, you have it covered A to Z after all.


Written by Tejashree Chavan,  Salesforce Developer at Eternus Solutions


  1. With cloud computing, you eliminate those headaches because you’re not managing hardware and software—that’s the responsibility of an experienced vendor like The shared infrastructure means it works like a utility: You only pay for what you need, upgrades are automatic, and scaling up or down is easy. Thanks for sharing this.

    Salesforce certification Training in Chennai
    Salesforce administrator training in chennai

  2. Thanks for sharing this valuable post to my knowledge great pleasure to be here SAS has great scope in IT industry. It’s an application suite that can change, manage & retrieve data from the variety of origin & perform statistical analytic on it…

    sas training in Chennai|sas course in Chennai|sas training institutes in Chennai

  3. Hello, Thanks for such a great information about Salesforce Web Forms TECHNOLOGY UPDATES and How to automatically create Salesforce and many more about sales....
    online form builder for salesforce