This year I had a lot of fun creating the examples for the session at DevCon.

Along with the fun I had a couple of interesting technical challenges. One of those was how to generate the Signature Version 4 used to authenticate Requests in AWS.
Amazon provides SDKs for the most common programming languages, but nothing we can reuse directly in FileMaker.

The process is described in detail here. The key steps are:

  • Create a Canonical Request
  • Create a String to Sign
  • Calculate the signature
  • Add the Signing information to the Request


Create a Canonical Request

The first step is to create a string that contains information about our request in a standardized format. The string is composed by the HTTP Method of our request, the Canonical URI, the Query String, the Canonical Headers, the Signed Headers and the Payload Hash. The values depend on the specific AWS service we are working with.

The service I used at DevCon is Amazon Polly so the values would be:

  • HTTP Method = POST
  • Canonical URI = /v1/speech
  • Canonical Query String = empty
  • Canonical Headers = content-type:application/json
  • Signed Headers = content-type;host;x-amz-date
  • Request Payload = { “OutputFormat”: “mp3”, “Text”: “the text I want to send to Polly”, “VoiceId”: “Joanna” }

Now the first technical part: the Request Payload needs to be encoded using a hash (digest) function likeSHA256. For FileMaker up to version 15 we have to use the function BE_HMAC from the BaseElements Plugin. For FileMaker 16 we can use the new functions HexEncode and CryptDigest

HexEncode ( CryptDigest ( $request_params ; "SHA256" ) )

Once we have all the elements ready we can put together the Canonical Request

Set Variable [ $canonical_request ; Value: $method & Char( 10 )& $canonical_uri
& Char( 10 ) & $canonical_querystring & Char( 10 ) & $canonical_headers
& Char( 10 ) & $signed_headers & Char( 10 ) & Lower( $payload_hash ) ]


String To Sign

In a similar way we need to create the String to Sign concatenating the Algorithm used for the digest in the canonical request, date and time, Credential Scope and digest of the Canonical Request we built at point 1.


Calculate the Signature

This is where the magic happens. This step takes the secret key provided by AWS and mixes it with the Date, the Region. the Service name and generates the signing key. Each of the steps uses the previous value in a function

HexEncode( CryptAuthCode (  ) )

I’ve put the full code of this step in two custom functions called AWS4_getSignatureKey and createSignature (there are two alternative custom functions that use the BaseElements Plugin if you need to use this in FileMaker <16).


Add the Signing information to the Request

Once all these values are ready we can generate the Headers we’ll send with our request

Set variable [ $authorization_header ; Value: $algorithm & " " & "Credential="
& AWS4_access_key & "/" & $credential_scope & ","
& "SignedHeaders=" & $signed_headers & "," & "Signature=" & $signature ]


Notes on the demo file

The demo file implements this algorithm to send a text to Amazon Polly and retrieve an mp3 file with a computer generated voice reading the same text. To use the service you will have to generate access key for your user in AWS IAM and link the AmazonPollyFullAccess Policy.

Once you have obtained the Access Key and the Secret Key you can add them in the two custom functions in the FileMaker test file



If you create something with this, I would love to hear from you! You can download the file from here.