AWS Webhook configuration
Overview
Overview
AWS offers over 100 cloud services, with the most prominent examples being data stores (S3, DynamoDB), serverless engines (Lambda), queuing systems (SQS) and many more.
Most AWS services use AWS Signature Version 4 to authenticate requests to their APIs. Computing the signature requires a prepared canonical request (a request without the Authorization
header) and AWS credentials. They are all used as the input for the AWS Signature Version 4 algorithm. Its output is a value that should be used as the Authorization
header.
The headers and body values of a webhook are likely changing between individual requests. This means the canonical request will differ and previously computed Authorization headers will be invalid. The proxy that the AWS Webhook Integration is using will re-compute the signature for every request.
If you have AWS Webhook Integration enabled you can use its proxy within a webhook so all requests will be automatically signed. You can either start from a webhook template or follow these steps to configure it manually:
- Create a webhook performing a canonical AWS request to the service you use. All standard features available for webhooks are available.
- Replace
amazonaws.com
withawsproxy.contentful.com
in the webhook URL. - Set a
X-Contentful-AWS-Proxy-Key-Id
header with your AWS Access Key ID. - Set a
X-Contentful-AWS-Proxy-Secret
header with your AWS Secret Access Key.Important: Make sure it's marked as secret. - Optional: you can set a
X-Contentful-AWS-Proxy-Content-Type
header to a customContent-Type
value if a service being called requires it (for exampleapplication/x-amz-json-1.0
).
The proxy will automatically sign all requests using the credentials provided. Credentials must have IAM role assigned allowing to perform selected action.