Skip to Content
Technical Articles
Author's profile photo Alexandre Rezende

How to download a file from Amazon S3 Buckets

  • Update April 15, 2019:
    Include a enhancement to the UDF to work with HTTP and HTTPS simultaneously;
    Include a enhancement to the UDF to work with URL encoded and NOT encoded (it’s necessary comment/uncomment the line).


Today I’ll explain step-by-step how to calculate the signature to authenticate and download a file from the Amazon S3 Bucket service without third-party adapters.

Step-by-step Interface Flow


In summary this interface receive download URL, Bucket, AccessKeyID, SecretAccessKey, Token and AWSRegion, a mapping calculate the signature with this information and sent to REST Adapter, the signature and anothers parameters are insert in HTTP header.

Some information for calculate the signature are provide another service, this post explain only how to calculate, but is possible implemented enhancements, for example, create a rest/soap lookup to get a Token and SecretAccessKey.


The response is a file, and the REST Adapter don’t work with format different of XML or JSON, then you will need convert the file to binary, and this content are insert in a tag of XML. For this conversion I recommend a module adapter FormatConversionBean developed by @engswee.yeoh


Development and Configuration the Interface

Request mapping

For the request mapping you need create a two structures, one for inbound and another for outbound.



After create the structures for the request mapping (data type, message type, etc), you need create a message mapping.

Now you need to map the fields, pay attention to the next steps for configurations the roles.

Roles for Message Mapping

  •  Fields XAmzSecurityTokenand Url are mapped directly….


  • Field XAmzSha256 is mapped with a constant value e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (this string is a hash of a null value)


  • Field XAmzDate is mapped with a CurrentDate (format yyyyMMdd’T’HHmmss’Z’) function…

  • Field ContentType is mapped with a constant value application/x-www-form-urlencoded


  • Field Host is mapped with a UDF or ConstantValue.

The Host is a result of concatenation of the Bucket + ““,
so you can use a ConstantValue ( for example), which receives the bucket and returns the Host

public String Host(String inBucket, Container container) throws StreamTransformationException{
String vServiceName = "s3";
String vS3Host = vServiceName + "";

String vHost = inBucket + "."+ vS3Host;
return vHost;


  • Field Authorizathion is mapped with a UDF.

In field Authorization you have insert the signature calculated with the UDF below.

public String AWS4Signer(String inURL, String inDate, String inBucket, String inAccessKeyId, String inSecretAccessKey, String inToken, String inAWSRegion, Container container) throws StreamTransformationException{
String vSignedHeaders="content-type;host;x-amz-content-sha256;x-amz-date;x-amz-security-token"; 
String vHashedCannonicalRequest="";

String vScope= inDate.substring(0,8) + "/" + inAWSRegion + "/s3/aws4_request";
String vCredential="";
String vSignature="";
String vSignatureKey="";
String vServiceName="s3";
String vS3Host=vServiceName+"";
String vHost=(inBucket+"."+vS3Host).toLowerCase();

// Only URL NOT encoded
String vCanonicalURI = urlEncode(inURL.replace("https://"+vHost,"").replace("http://"+vHost,"").trim(),true);

// Only URL encoded
//String vCanonicalURI = inURL.replace("https://"+vHost,"").replace("http://"+vHost,"").trim();

String vCanonicalQueryString = "";
String vHTTPRequestMethod = "GET";
String vContentSHA256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855";
String vContentType = "application/x-www-form-urlencoded";

String cannonicalRequest="";
String stringToSign="";

String outAutorization="";

MappingTrace importanttrace;
importanttrace = container.getTrace();

// Canonical Request

importanttrace.addInfo("***** Canonical Request ***** ");
cannonicalRequest = 
	vHTTPRequestMethod.trim() +"\n"+
	"host:" +vHost.trim()+"\n"+


//Canonical Request Hashed

importanttrace.addInfo("***** Hashed Canonical Request ***** ");
vHashedCannonicalRequest = hash(cannonicalRequest);

importanttrace.addInfo( vHashedCannonicalRequest);

//String to Sign
importanttrace.addInfo("***** String to Sign ***** ");
stringToSign =



importanttrace.addInfo("***** Signing  ***** ");

byte[] kSigning = getSignatureKey(inSecretAccessKey, inDate.substring(0,8), inAWSRegion, vServiceName);
byte[] signature = HmacSHA256(stringToSign.toString(), kSigning);

vSignatureKey =  bytesToHex (kSigning).toLowerCase(Locale.getDefault());
vSignature = bytesToHex (signature).toLowerCase(Locale.getDefault());

} catch (Exception e) {
		throw new RuntimeException("Unable to compute hash while signing request: " + e.getMessage(), e);

outAutorization = "AWS4-HMAC-SHA256 Credential=" + inAccessKeyId + "/" + vScope + ", SignedHeaders=" + vSignedHeaders + ", Signature=" + vSignature;

importanttrace.addInfo("Siging Key: " + vSignatureKey);
importanttrace.addInfo("Signature: " + vSignature);
importanttrace.addInfo("Authorization: " + outAutorization);


return outAutorization;



You also need to create some methods, which will be used by UDF in signing.


public static String hash(String text) {
	String hashedString = "";
	try {
		MessageDigest md = MessageDigest.getInstance("SHA-256");
		byte[] hashedBytes = md.digest(text.getBytes("UTF-8"));
		for (int i = 0; i < hashedBytes.length; i++){
			hashedString += Integer.toHexString((hashedBytes[i] >> 4) & 0xf);
			hashedString += Integer.toHexString(hashedBytes[i] & 0xf);
	return hashedString;
	} catch (Exception e) {
		throw new RuntimeException("Unable to compute hash while signing request: " + e.getMessage(), e);

private static String bytesToHex(byte[] hashInBytes) {
        StringBuilder sb = new StringBuilder();
        for (byte b : hashInBytes) {
            sb.append(String.format("%02x", b));
        return sb.toString();

 public static byte[] HmacSHA256(String data, byte[] key) throws Exception  {
         String algorithm="HmacSHA256";
         Mac mac = Mac.getInstance(algorithm);
         mac.init(new SecretKeySpec(key, algorithm));
         return mac.doFinal(data.getBytes("UTF8"));

public static byte[] getSignatureKey(String key, String dateStamp, String regionName, String serviceName) throws Exception  {
         byte[] kSecret = ("AWS4" + key).getBytes("UTF8");
         byte[] kDate    = HmacSHA256(dateStamp, kSecret);
         byte[] kRegion  = HmacSHA256(regionName, kDate);
         byte[] kService = HmacSHA256(serviceName, kRegion);
         byte[] kSigning = HmacSHA256("aws4_request", kService);
         return kSigning;

    public static String urlEncode(String url, boolean keepPathSlash) {
        String encoded;
        try {
            encoded = URLEncoder.encode(url, "UTF-8");
        } catch (UnsupportedEncodingException e) {
            throw new RuntimeException("UTF-8 encoding is not supported.", e);
        if ( keepPathSlash ) {
            encoded = encoded.replace("%2F", "/");
        return encoded;

and import the packages…****


After developed the UDF, its necessary configure with the inbound values.

Note: the format of CurrentDate is yyyyMMdd’T’HHmmss’Z’.

Now save and Activate the Request mapping.

Response mapping

The response mapping it’s simple and not necessary many explanation.

Configure the interface normally …

After created Request/Response Mapping, build the Operation Mapping and a Integrated Configuration normally. The Communication Channel can be of any type that is synchronous, but the Receiver must be to type rest and configured as below.

Receiver Communication Channel

Now you need configure the Receiver Channel, for this the values generates in request message mapping are storage in variables, and this variables are used in the communication channel.


Now the variables storage are used in the HTTP Header, here you configure how the canonical request is create.


It’s necessary configure the REST Operation, for this case the operation is GET.


And finally configure the module adapter FormatConversionBean to converte the file in b64string.

IMPORTANTE: The module adapter FormatConversionBean isn’t standard, and you need deploy if you have not already, for more information and download of module you can access here.


Save and active all objects, now we going test!

Running a test

Fill in all the fields correctly in the interface and call the created service, the response should be the file in b64string format.

If you analyze the log of request messages, the parameters are populated in the HTTP header and communication has succeeded (HTTP 200)

and the response (the file) is converted to b64 string.

That’s all! I hope I have collaborated and I am waiting for your feedback on this post.








How to Calculate AWS Signature Version 4

Module Adapter FormatConversionBean

PI REST Adapter – Define custom http header elements







Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Ha Chan
      Ha Chan

      Hello Alexander,

      Very Nice Blog. This is really helpful. This is exactly what I am trying to implement.

      However, I have a question. In the response, When you decode the file from the b64string in the response. Will it be possible to retain the original filename?




      Author's profile photo Alexandre Rezende
      Alexandre Rezende
      Blog Post Author

      Hi Chan, I'm very happy to have helped.

      Usually the file name is already in the url, for example: "", the file name is "Example123.jpg".

      In this case the request mapping can copy the name of the file, then use it in the response mapping.

      I found the post below that explains this in more detail.

      Author's profile photo Satya Kiran Babu PAKALA
      Satya Kiran Babu PAKALA

      Hello Alexander,

      I followed your blog and all good !

      However I am unable to convert this Base64 message to image at ECC.

      A normal text file is all good, however when I convert Base64 to image or PDF... at ECC, it complains that the downloaded files are in corrupted.

      I am using below functions to base64 to image convertion at ECC

      3. CL_GUI_FRONTEND_SERVICES=>gui_download

      Could you suggest and help !

      Thank you




      Author's profile photo Ha Chan
      Ha Chan

      Thank you Alexander for your help. This helped me solve my requirement to download the files from S3 Buckets.

      Just to summarize Here are a few issues I faced during my testing

      1. DateTimeIssue. Our PO system time is CST, but the AWS uses UTC time, so I get the error "RequestTimeTooSkewed". I used Eng's blog using JODA repository to convert CST to UTC.
      2. Signature caluclation failed. My URL had spaces and ( ) special characters. I had to convert spaces to %20 and ( to %28 and ) to %29 etc to caluclate the correct signatures.



      Author's profile photo Emiliano Orengo
      Emiliano Orengo

      Hi Alexandre,

      How do I get the Token? As long as I see, when I've created the S3 bucket and then the IAM user I get the access key ID and secret Key (of course, the bucket name and region too).

      Could you help us to obtain the Token?

      In addition, is there any way to protect this information?

      Thanks in advance.

      Best regards,