generate Amazon S3 pre-signed URL programmatically

david631 · ‎09-20-2018

I want to use ServiceNow scripts to get a pre-signed URL from Amazon S3 storage. The AWS JavaScript SDK can be used for this, and I read the Community post describing how this SDK can be imported into ServiceNow; however that method looks extremely fragile. I'd prefer presigning a URL without the SDK, if possible. Has anyone done something like this before?

UPDATE

ServiceNow does not have the functions to generate signatures in AWS Signature Version 4. Version 4 requires a signing key that is derived from your secret access key by a series of hash-based message authentication codes (HMACs). GlideCertificateEncryption can return the HMACs in base64 format, but the AWS signing key requires an HMAC-SHA256 function that returns output in binary format:

Use the digest (binary format) for the key derivation. Most languages have functions to compute either a binary format hash, commonly called a digest, or a hex-encoded hash, called a hexdigest. The key derivation requires that you use a binary-formatted digest.

AWS provides an example of creating the necessary binary format digest in Python (amazon.com, sigv4-signed-request-examples.html😞

hmac.new(key, msg.encode('utf-8'), hashlib.sha256).digest()

There seems to be a way of using the CryptoJS library to produce an equivalent to this using some custom functions for converting from a WordArray to byte array found here: https://stackoverflow.com/questions/29432506/how-to-get-digest-representation-of-cryptojs-hmacsha256....

Unfortunately, I've never been able to get CryptoJS working in ServiceNow Kingston as shown in Sift API and Request Signature Generation. I tested the solution from killswitch1111 on Cannot access SncAuthentication from application scope and it failed to get CryptoJS working, even after I pulled the correct version of CryptoJS from crypto-js on Google Code Archive.

The only way I can find to generate this signature is to stand up an entirely new service outside of ServiceNow that does nothing but sign S3 URLs in response to GET requests from ServiceNow. I was very much hoping to avoid that, but I can see no other option.

david631 · ‎03-29-2021

We are currently using a custom external API which we call from ServiceNow to generate signatures. We weren't ever able to get ServiceNow to generate signatures. This is probably because ServiceNow doesn't appear to have any functions which generate binary hashes. Other languages have two separate hashing functions: one for binary and one for hex hashing. Python is an example:

hash.digest()
Return the digest of the data passed to the update() method so far. This is a bytes object of size digest_size which may contain bytes in the whole range from 0 to 255.

hash.hexdigest()
Like digest() except the digest is returned as a string object of double length, containing only hexadecimal digits. This may be used to exchange the value safely in email or other non-binary environments.

Since cloud storage API's like AWS and Azure expect binary digests, it's necessary to generate these using an API external to ServiceNow that generates binary hashes using a more competent language, such as Node.js or Python. Azure Functions or AWS Lambdas provide a simple way to create such a "helper" API for generating hashes.

View solution in original post

saadit · ‎10-23-2019

David,

Can you explain more on how this is working. Mainly interested in the AWSRESTRequestSigningUtil function you're referencing in the script include.

We are trying to do exactly what you've done by integrating with a specific S3 bucket to pull in some content. We've replicated the script include as you've stated in the reply above but are stuck on the AWSRESTRequestSigningUtil piece.

Any help would be much appreciated!

Thanks,

Saadi

Inactive_Use408 · ‎10-23-2019

We had the same problem. We installed probably dozens of modules to try and make the script include "AWSRESTRequestSigningUtil" show up, and we never could. I have attached a copy of the script. It appears to have been written by "will.swift". We do not know who this is. The script is relatively simple, but it relies on "SNC.AWSRequestUtil()". The prefix "SNC" implies this is a "system restricted script" defined at the platform (Java) layer and not directly accessible to customers (https://community.servicenow.com/community?id=community_question&sys_id=3d120fe9db98dbc01dcaf3231f96...). Good luck!

bhavna6 · ‎03-19-2020

hi David,

can you please guide on how to set this up in the NY instance.We are trying this with no luck

Matt Hernandez · ‎10-20-2018

This exact same issue is now present with Slack, as they are deprecating verification tokens, instead providing 'timestamp' header that you're supposed to hash with the request body and your app secret, then compare against their 'signature' header. This is how you verify "whether requests from us are authentic." The result of your hashing is supposed to be HMAC SHA256, with hexdigest.

Slack docs says verification tokens are available concurrently now, but will be gone in a few months. So ServiceNow needs a native way to do this for their own Slack integration, and so will everybody who did the integration manually.

see: Verifying Requests from Slack

Matt Hernandez · ‎11-03-2018

I got a version of signatures working using CryptoJS with "signing secrets" from Slack. Discussion is on this other thread.

ServiceNow Unable to Process the Request Body with a Content-Type 'application/x-www-form-urlencoded...

EDIT:

I wrote up a community article on how I handled this, with some sample code for a scoped processor and script include.

Request Authentication with Slack Signing Secrets