Request Authentication and Signing
Some cloud based services require requests to be signed using service specific signature algorithms. The CLIENT process supports automatic request signing for a number of services. To enable request signing, the application developer configures an authentication configuration file which defines the configuration parameters. Configuration parameters may also be supplied in the request itself and may be configured in the API Editor.
The Authentication Configuration File
The authentication config file, or auth config, uses the same format described in the section Configuration File Format. The section name is auth. The auth section always contains the method param indicating the auth method, followed by method specific auth params. The location of the configuration file is then supplied to the CLIENT process using the --auth startup option. Changes to the auth config file may be monitored using the --monitor option.
An example auth config file for Amazon Web Services Signature Version 4 is shown below:
[auth]
Method=aws-signature-v4
AccessKeyId=AKID8D8WDF88E8F8E8FA
SecretAccessKey=yavFGsdfjoielskdfjieaiehihjoiij5Dfq9i5qD
An example of the startup options required to use the auth config file is shown below:
tacl>run CLIENT --api $vol.subvol.awsapi &
--base-url https://s3.us-east-1.amazonaws.com &
--log $vol.subvol.awslog &
--auth $vol.subvol.awsauth &
--monitor auth:30Service Specific Auth File Options
The following signing methods are currently supported with new methods to be added in future releases. If your application requires a signing method not listed here, please visit the Support Center and open a ticket.
Note that parameter names in the auth config are not case sensitive.
Amazon Web Services Signature V4
This method can be used with any AWS service that requires signature version 4.
| Param Name | Param Value |
|---|---|
| method | aws-signature-v4 |
| AccessKeyId | An AWS access key ID |
| SecretAccessKey | The secret access key associated with the Access Key ID |
| SessionToken | The session token associated with the AWS access key ID. This param is optional, but required if the AccessKeyId and SecretAccessKey were obtained from the AWS Security Token Service (STS). If omitted, no SessionToken value is used. |
| Region | The AWS region for the request. This param is optional and if omitted, is derived from the base URL. |
| Service | The AWS service for the request. This param is optional and if omitted, is derived from the base URL. |
| ClockCorrection | In the event that the system time is incorrect, this param may be used to adjust the current time used by the signature algorithm. The value is specified in number of seconds, + or -, to adjust the time used by the signature algorithm to the correct time. This param is optional and if omitted, the current system time is used. This option should only be used in exceptional cases in which the system clock cannot be synchronized to real world time. |
Azure Event Hub
This method can be used with the Azure Event Hub
| Param Name | Param Value |
|---|---|
| method | azure-event-hub |
| SharedAccessKeyName | The shared access key name of an appropriate access policy |
| SecretAccessKey | The secret access key of the access policy. |
| TokenTTL | The length of time the token should be valid, in seconds. This param is optional and if omitted, defauts to 60 seconds. |
| ResourceURI | The resource URI to use when creating the Azure signature. This parameter is optional and if omitted, is derived from the request URL. |
| TokenExpiry | An explicit token expiry time expressed in seconds since Unix Epoch (Jan 1, 1970). If specified, the tokenTTL param is ignored. If omitted, TokenTTL is used to calculate the token expiration time. This param should be used for testing purposes only. |
| ClockCorrection | In the event that the system time is incorrect, this param may be used to adjust the current time used by the signature algorithm. The value is specified in number of seconds, + or -, to adjust the time used by the signature algorithm to the correct time. This param is optional and if omitted, the current system time is used. This option should only be used in exceptional cases in which the system clock cannot be synchronized to real world time. |
Azure IoT Hub
This method can be used with the Azure IoT Hub
| Param Name | Param Value |
|---|---|
| method | azure-iot-hub |
| SharedAccessKeyName | The shared access key name of an appropriate access policy |
| SecretAccessKey | The secret access key of the access policy. |
| TokenTTL | The length of time the token should be valid, in seconds. This param is optional and if omitted, defauts to 60 seconds. |
| ResourceURI | The resource URI to use when creating the Azure signature. This parameter is optional and if omitted, is derived from the request URL. |
| TokenExpiry | An explicit token expiry time expressed in seconds since Unix Epoch (Jan 1, 1970). If specified, the tokenTTL param is ignored. If omitted, TokenTTL is used to calculate the token expiration time. This param should be used for testing purposes only. |
| ClockCorrection | In the event that the system time is incorrect, this param may be used to adjust the current time used by the signature algorithm. The value is specified in number of seconds, + or -, to adjust the time used by the signature algorithm to the correct time. This param is optional and if omitted, the current system time is used. This option should only be used in exceptional cases in which the system clock cannot be synchronized to real world time. |
CyberSource HTTP Signature Authentication
This method can be used with the CyberSource REST API.
| Param Name | Param Value |
|---|---|
| method | cybersource-http |
| MerchantId | The CyberSource Merchant ID. |
| MerchantKeyID | A CyberSource API key ID. |
| MerchantSecretKey | The shared secret key associated with the MerchantKeyID. |
Generic Authorization Header with Token
This method allows an arbitray HTTP header name, value pair to be supplied as an authentication method. This method can be used for custom authentication methods or for standard authentication methods such as OAuth 2 Bearer tokens.
| Param Name | Param Value |
|---|---|
| method | auth-token |
| Header | The name of the HTTP header. |
| Token | The value of the HTTP header. |