Use variables in auth for AWS4


I have a workflow to fetch temporary AWS Access Key ID and AWS Secret Key ID to be used in subsequent AWS4 calls, however I can't see how to include a variable in these fields when setting up the API resource, did I miss something or is this currently not possible?

@fireb1adex Can you share your current set up? Usually, in a workflow, you can forward the result from 1 block to the next. If you have 1 block that fetches the access & secret key, the next block can use those values to make subsequent requests.

A resource has a static configuration that cannot use the result of a workflow, but some resource does support custom authentication that you can plug your code into.

Please share more information about what you're doing and maybe we can advise what's best to do in your case.

Hey Harry, this is for an integration with Amazon SP-API, calls made need to use the AWS4 auth, which signs the requests. I saw there is a custom REST request, but due to the requirement for the AWS4 auth, I couldn't see that it could be used.

The process is to assume a role, using your normal AWS id and secret. You're given a temporary id and secret to use from there onwards, and these temporary credentials can't be passed to a resource.

I guess in short, I need to use AWS4 auth, but AWS4 auth is locked for use only with a resource, and resources dont allow variables to be used for the AWS id and secret.

Hope that makes sense!

@Harry_Doan - open to try any suggestions, what do you think?

Hi @fireb1adex, The ideal implementation of your Authentication scheme in Retool would be a Custom Auth flow defined on a Resource. The first step would be an AWS v4 step using the "normal" AWS id and secret to fetch temporary credentials. The second step would then set those temporary credentials on the Resource to be used for AWS v4 auth for requests made with the Resource in Apps and Workflows. Unfortunately, there is no AWS v4 Custom Auth step, nor a way to configure AWS v4 using credentials fetched in a Custom Auth flow. So this isn't cleanly supported with out-of-the box Retool functionality currently.

You could setup your flow by manually instrumenting AWS v4 Auth with a Javascript step in Custom Auth on a Resource, but it would fetch temporary credentials for every request made with the Resource. Separately, you could instrument AWS v4 Auth within a Workflow using JavaScript as suggested by Harry, but again I believe this would fetch new temporary credentials fof every workflow run.

Could either of those options work for your use case? If not, can you simply use AWS v4 Auth without temporary credentials?