Mule App to Create Signed AWS API Request (Signature Version 4)

This document covers a Mule Application code that publishes a message to AWS SNS Topic without using AWS Connectors. Instead, we will create a Signed AWS API Request (Signature Version 4) - Link in Dataweave and send it using a HTTP Request component. We will have an AWS SQS Queue subscribed to that SNS Topic to check the message delivery. This demo will be done in a local Windows environment.

Let’s begin...

Pre-requisites

  • AWS Account. Region used in this demo is US East (Ohio) i.e., us-east-2.
  • IAM User part of a User Group having the following 2 permission policies attached - AmazonSQSFullAccess & AmazonSNSFullAccess. Also, assuming that you have the accessKey and secretKey of that user.
  • SNS Topic (Type - FIFO) with Content-based message deduplication set to Enabled.
  • SQS Queue (Type - FIFO) with Content-based message deduplication set to Enabled and Subscribed to the above said SNS Topic.
  • Postman
  • Anypoint Studio and Java (Be sure to verify that AnypointStudio.ini file’s -vm path is pointing to the JDK you are using).

For this demo, I am using JDK 11.0.17 - Link. But MuleSoft recommends JDK 8 for best compatibility in Anypoint Studio and Cloudhub deployments. I have also correctly configured %JAVA_HOME% and Path system environment variables in Windows.

Anypoint Studio being used is version 7.14 and its AnypointStudio.ini file has following entry -

-vm
C:\Program Files\Java\jdk-11.0.17\bin\javaw.exe

Anypoint Studio Code

Create a new Mule Application project in Anypoint Studio. Create a file named app-dev.yaml (You can name it as you wish) in the following project path -

src/main/resources/properties/

The final file structure will look like this -

src/main/resources/properties/app-dev.yaml

Enter the following code snippet in this file and make changes wherever required. Don't forget to encrypt the AWS IAM User's accessKey and secretKey first using the Secure Properties Tool - Link

http:
  port: "8081"
aws:
  host: "sns.us-east-2.amazonaws.com"
  service: "sns"
  region: "us-east-2"
  endPoint: "sns.us-east-2.amazonaws.com"
  accessKey: "![ENCRYPTED_AWS_IAM_USER_ACCESS_KEY]"
  secretKey: "![ENCRYPTED_AWS_IAM_USER_SECRET_KEY]"
  sns:
    topicARN: "SNS_TOPIC_ARN"

Now, include the Secure Properties module in your Workspace's Mule Palette and create a Secure Properties Config in this project. Point it to the app-dev.yaml file you just created. OR You can just use the following code -

<secure-properties:config
  name="Secure_Properties_Config"
  doc:name="Secure Properties Config"
  doc:id="2cabe375-5a71-4a65-b1cc-60864c25f0a1"
  file="properties\app-dev.yaml"
  key="${mule.key}"
/>

Next, download the following two *.dwl files - GitHub Gist Link

Place them in this project path -

src/main/resources/dwlfiles/

The final file structure will look like this -

src/main/resources/dwlfiles/qparamVariable.dwl
src/main/resources/dwlfiles/awsSignature.dwl

Now, open the project’s main *.xml file (You can later segregate the entire code in interface.xml and implementation.xml files if you want) and use the following XML code to setup a listener flow -

<flow
  name="send-data-to-SNS-interface-flow"
  doc:id="7d8d07d1-feaa-4011-b1e4-bc426f26887d"
>
  <http:listener
    doc:name="Listener"
    doc:id="b99bede3-2d0e-4c24-9e44-c4f80ba47f97"
    config-ref="HTTP_Listener_config"
    path="/send"
    allowedMethods="POST"
  />
  <flow-ref
    doc:name="send-data-to-SNS-implementation-flow"
    doc:id="3ec7f7bd-33b6-4652-8f67-4b30c9878a79"
    name="send-data-to-SNS-implementation-flow"
  />
</flow>

This code will look like this -

Listener Flow

You will have to create a Listener configuration. For that, you can use the following code -

<http:listener-config
  name="HTTP_Listener_config"
  doc:name="HTTP Listener config"
  doc:id="5f29422b-31e7-4094-9c9d-5088b6ba2c78"
>
  <http:listener-connection host="0.0.0.0" port="${secure::http.port}" />
</http:listener-config>

Then, in the same *.xml file, use the following XML code to setup the subflow that creates Signed AWS API Request -

<sub-flow
  name="send-data-to-SNS-implementation-flow"
  doc:id="c5550522-b627-4f25-9a9c-f8c669cf1940"
>
  <ee:transform
    doc:name="qparam variable"
    doc:id="37370213-95ab-4684-93ba-79defd248e7c"
  >
    <ee:message></ee:message>
    <ee:variables>
      <ee:set-variable
        resource="dwlfiles\qparamVariable.dwl"
        variableName="qparam"
      />
    </ee:variables>
  </ee:transform>
  <set-payload
    value='#[""]'
    doc:name="making payload empty"
    doc:id="47f3d5b8-8142-4b5a-a9d0-ecbaae16296c"
  />
  <ee:transform
    doc:name="build URL with AWS signature"
    doc:id="467610fe-1635-47fb-9f3d-55d6829cabd4"
  >
    <ee:message></ee:message>
    <ee:variables>
      <ee:set-variable
        resource="dwlfiles/awsSignature.dwl"
        variableName="aws"
      />
    </ee:variables>
  </ee:transform>
  <logger
    level="INFO"
    doc:name="log vars.aws"
    doc:id="a513e1ce-3d12-44db-93b0-25183d269af0"
    message='#["Final URL:\n" ++ "http://" ++ vars.aws]'
  />
  <http:request
    method="GET"
    doc:name="hit the URL"
    doc:id="04b2ee21-a886-4421-9b46-8d01e5770e89"
    url='#["http://" ++ vars.aws]'
  />
  <logger
    level="INFO"
    doc:name="log payload"
    doc:id="34fff416-8364-4f87-9ed9-bba2097ba730"
    message="#[payload]"
  />
</sub-flow>

This code will look like this -

Create Signed API Request SubFlow

Do not try to configure the HTTP Request component. It just needs to hit the final URL, nothing else.

Don’t forget to provide your encryption key in Run configuration as environment variables – mule.key

Run the Mule Application now.

You can import the following Postman Collection (v2.1) file in Postman to test the application with an example payload - GitHub Gist Link

Alternatively, if you want, the cURL code for the same is below -

curl --location --request POST 'http://localhost:8081/send?messageGID=account' \
--header 'Content-Type: application/json' \
--data-raw '[
    {
        "counter": 1
    },
    {
        "name": "Bruce Wayne",
        "email": "ceo@waynetech.com"
    },
    {
        "name": "Clark Kent",
        "email": "ceo@fortressofsolitude.com"
    },
    {
        "name": "Teth Adam",
        "email": "ceo@rockofeternity.com"
    }
]'

As you send this request and if all goes well, then the Console View in Anypoint Studio should first log the final Signed AWS API Request URL (You can even use this URL in a Browser, it will work) and then its response as shown below -

Final Signed AWS API Request

Response of Signed AWS API Request

You can go to AWS Console and verify that the message was received or not by using the Poll for messages button in SQS Dashboard. You'll find your message there as shown -

Verifying Message Reception in SQS

This completes the demo.

Troubleshooting Common Issues

I don’t think anyone will encounter any issues using this guide so I will leave the common issues part blank this time :)

Comments

Post a Comment