- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-20-2018 09:12 AM
I want to use ServiceNow scripts to get a pre-signed URL from Amazon S3 storage. The AWS JavaScript SDK can be used for this, and I read the Community post describing how this SDK can be imported into ServiceNow; however that method looks extremely fragile. I'd prefer presigning a URL without the SDK, if possible. Has anyone done something like this before?
UPDATE
ServiceNow does not have the functions to generate signatures in AWS Signature Version 4. Version 4 requires a signing key that is derived from your secret access key by a series of hash-based message authentication codes (HMACs). GlideCertificateEncryption can return the HMACs in base64 format, but the AWS signing key requires an HMAC-SHA256 function that returns output in binary format:
Use the digest (binary format) for the key derivation. Most languages have functions to compute either a binary format hash, commonly called a digest, or a hex-encoded hash, called a hexdigest. The key derivation requires that you use a binary-formatted digest.
AWS provides an example of creating the necessary binary format digest in Python (amazon.com, sigv4-signed-request-examples.html😞
hmac.new(key, msg.encode('utf-8'), hashlib.sha256).digest()
There seems to be a way of using the CryptoJS library to produce an equivalent to this using some custom functions for converting from a WordArray to byte array found here: https://stackoverflow.com/questions/29432506/how-to-get-digest-representation-of-cryptojs-hmacsha256....
Unfortunately, I've never been able to get CryptoJS working in ServiceNow Kingston as shown in Sift API and Request Signature Generation. I tested the solution from killswitch1111 on Cannot access SncAuthentication from application scope and it failed to get CryptoJS working, even after I pulled the correct version of CryptoJS from crypto-js on Google Code Archive.
The only way I can find to generate this signature is to stand up an entirely new service outside of ServiceNow that does nothing but sign S3 URLs in response to GET requests from ServiceNow. I was very much hoping to avoid that, but I can see no other option.
Solved! Go to Solution.
- Labels:
-
Integrations
-
Scripting and Coding
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-29-2021 08:06 AM
We are currently using a custom external API which we call from ServiceNow to generate signatures. We weren't ever able to get ServiceNow to generate signatures. This is probably because ServiceNow doesn't appear to have any functions which generate binary hashes. Other languages have two separate hashing functions: one for binary and one for hex hashing. Python is an example:
hash.digest()
Return the digest of the data passed to the update() method so far. This is a bytes object of size digest_size which may contain bytes in the whole range from 0 to 255.hash.hexdigest()
Like digest() except the digest is returned as a string object of double length, containing only hexadecimal digits. This may be used to exchange the value safely in email or other non-binary environments.
Since cloud storage API's like AWS and Azure expect binary digests, it's necessary to generate these using an API external to ServiceNow that generates binary hashes using a more competent language, such as Node.js or Python. Azure Functions or AWS Lambdas provide a simple way to create such a "helper" API for generating hashes.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-26-2019 04:08 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-07-2020 06:36 PM
Cheers for this, however here's another "library" that relies on another customised scoped application which is not avaliable within the repo. Which was stated to work around this Amazon auth sign4 problem and the Crypto library and make life easier.
line 455: new x_snc_scrypto.Scrypto()...https://github.com/byukich/x_snc_aws_request/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-28-2020 04:39 AM
Hello
Thank you for this solution but above script include "AWSRestRequestSigningUtil" is getting deprecated from Paris release and is only available to instance which was having CMPV1 enabled in previous releases.
I was able to generate signature for AWS4 request using CryptoJS Lib in custom application scope in servicenow but when i am trying to generate the same in "sn_capi" scope in am getting an errror "undefined propertied".
Could you help me on this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-29-2021 08:06 AM
We are currently using a custom external API which we call from ServiceNow to generate signatures. We weren't ever able to get ServiceNow to generate signatures. This is probably because ServiceNow doesn't appear to have any functions which generate binary hashes. Other languages have two separate hashing functions: one for binary and one for hex hashing. Python is an example:
hash.digest()
Return the digest of the data passed to the update() method so far. This is a bytes object of size digest_size which may contain bytes in the whole range from 0 to 255.hash.hexdigest()
Like digest() except the digest is returned as a string object of double length, containing only hexadecimal digits. This may be used to exchange the value safely in email or other non-binary environments.
Since cloud storage API's like AWS and Azure expect binary digests, it's necessary to generate these using an API external to ServiceNow that generates binary hashes using a more competent language, such as Node.js or Python. Azure Functions or AWS Lambdas provide a simple way to create such a "helper" API for generating hashes.
