Why Does My Custom AWS Operation in n8n Return a Missing Authentication Token Error?

Below is some guidance on how to proceed:

What’s Happening

n8n’s AWS credentials automatically sign requests only when used with the built‐in AWS nodes (or the ones that explicitly leverage AWS signature logic). When you use a custom HTTP Request node with the pre-defined AWS credentials for an operation like Textract.DetectDocumentText, the node (by default) doesn’t sign the request using AWS Signature Version 4. That’s why you see a “Missing Authentication Token” error and no Authorization header is being sent.

Potential Approaches

1. Use a Built‑in AWS Node if Possible
   n8n already has an AWS Textract node which takes care of signing requests automatically. If your operation is supported by the built‑in node, this is the simplest solution.

2. Manually Sign the Request
   If you need to call an AWS endpoint that isn’t (yet) supported by an n8n node, you’ll need to sign the HTTP Request using AWS Signature Version 4 yourself. Some approaches:

   • Pre-sign using a Function Node:
     Use a Function node (or similar) to sign your request using a library such as aws4 before sending it via the HTTP Request node. For example, you could install and use aws4 (if you run n8n in an environment where you can add dependencies) to generate the necessary headers. Then pass those headers to the HTTP Request node.

   • Manually Construct the Headers:
     Refer to AWS documentation on Signature Version 4 signing process and mimic the signing flow. This approach is more involved as you must compute several values (such as canonical request hash, string to sign, and the signature itself) and add headers like Authorization, x-amz-date, and — if needed — x-amz-security-token.

Key Points to Verify

• Endpoint & Region:
  Make sure you’re targeting the correct Textract endpoint. For example, use a URL of the form:
  https://textract.[YOUR_REGION].amazonaws.com
  Also verify that you’ve set the right region in your AWS credential.

• HTTP Method & Headers:
  Textract’s operation (like DetectDocumentText) requires a POST request with specific headers. For example, you may need:

  • x-amz-target: Should be set to the operation, e.g., "Textract.DetectDocumentText".
  • Content-Type: Usually "application/x-amz-json-1.1".

  If these headers aren’t included or properly formatted, AWS may ignore the authentication.

• Credential Configuration:
  If you plan to rely on n8n’s pre-defined AWS credentials, double-check that the AWS credentials (Access Key ID, Secret Access Key, and Region) are set correctly and that any needed custom endpoints (if running in a VPC scenario) are configured.

Example Using a Function Node and aws4

If your n8n deployment allows adding the aws4 dependency (or if you can replicate its logic), your workflow could look like this:

1. Function Node (to sign the request):

JSCopied
// Example using aws4 library to sign a request
// Make sure the aws4 library is available in your environment

const aws4 = require('aws4');

// Define AWS credentials and region
const credentials = {
  accessKeyId: 'YOUR_AWS_ACCESS_KEY_ID',
  secretAccessKey: 'YOUR_AWS_SECRET_ACCESS_KEY',
};

const region = 'YOUR_REGION';

// Prepare the request options
let opts = {
  host: `textract.${region}.amazonaws.com`,
  path: '/',
  service: 'textract',
  region,
  method: 'POST',
  headers: {
    'Content-Type': 'application/x-amz-json-1.1',
    'x-amz-target': 'Textract.DetectDocumentText'
  },
  body: JSON.stringify({
    // ... your Textract.DetectDocumentText parameters
  }),
};

// Sign the request
aws4.sign(opts, credentials);

// Return the headers and body to use in the HTTP Request node
return {
  signedOptions: opts
};

2. HTTP Request Node:
   Use the output from the Function node. Set:
   • Method: POST
   • URL: https://textract.YOUR_REGION.amazonaws.com
   • Body: Use the same JSON body
   • Headers: Copy in the signed headers generated (Authorization, X-Amz-Date, etc.)

This example shows one way to sign your AWS request externally before calling it. (Note that depending on your environment, you might have to adjust how you access external libraries or replicate the signing logic.)

Summary

When using a custom HTTP Request node for AWS API calls, the missing authorization header issue is due to the fact that n8n’s AWS credential signing is not automatically applied to generic HTTP calls. You’ll need to either use a dedicated AWS node (if available) or manually sign your requests using AWS Signature Version 4.

I hope this helps clear things up! Let me know if you need further clarification on any of these steps.