Was this page helpful?

AWS Webhook configuration

Overview

NOTE: AWS Webhook Integration is available on specific pricing plans. Contact us if you are interested in learning more about this feature.

Overview

AWS offers over 100 cloud services, with the most prominent examples being data stores (S3, DynamoDB), serverless engines (Lambda), queuing systems (SQS) and many more.

Most AWS services use AWS Signature Version 4 to authenticate requests to their APIs. Computing the signature requires a prepared canonical request (a request without the Authorization header) and AWS credentials. They are all used as the input for the AWS Signature Version 4 algorithm. Its output is a value that should be used as the Authorization header.

The headers and body values of a webhook are likely changing between individual requests. This means the canonical request will differ and previously computed Authorization headers will be invalid. The proxy that the AWS Webhook Integration is using will re-compute the signature for every request.

If you have AWS Webhook Integration enabled you can use its proxy within a webhook so all requests will be automatically signed. You can either start from a webhook template or follow these steps to configure it manually:

  1. Create a webhook performing a canonical AWS request to the service you use. All standard features available for webhooks are available.
  2. Replace amazonaws.com with awsproxy.contentful.com in the webhook URL.
  3. Set a X-Contentful-AWS-Proxy-Key-Id header with your AWS Access Key ID.
  4. Set a X-Contentful-AWS-Proxy-Secret header with your AWS Secret Access Key.
    Important: Make sure it's marked as secret.
  5. Optional: you can set a X-Contentful-AWS-Proxy-Content-Type header to a custom Content-Type value if a service being called requires it (for example application/x-amz-json-1.0).

The proxy will automatically sign all requests using the credentials provided. Credentials must have IAM role assigned allowing to perform selected action.

NOTE: The proxy is an internal system and cannot be accessed from the public Internet. Only our webhook system can use this proxy.