vantage-aws
AWS API backend for the Vantage data framework — incubating.
Treats AWS JSON-1.1 RPC endpoints (CloudWatch Logs, ECS, DynamoDB
control plane, KMS, …) as Vantage TableSources. AwsAccount is the
source — there's no per-operation wrapper. The operation you want to
run lives in the table name.
Authentication
Three ways to construct an AwsAccount, plus a chain helper:
use AwsAccount;
let aws = new; // explicit
let aws = from_env?; // standard env vars
let aws = from_credentials_file?; // ~/.aws/credentials [default] only
let aws = from_default?; // env first, file fallback
from_credentials_file reads only the [default] profile. Region falls
through AWS_REGION → AWS_DEFAULT_REGION → ~/.aws/config
[default] region. AWS_PROFILE, SSO, assume-role, IMDS — out of
v0; set the env vars yourself if you need anything fancier.
Quick start
use ;
use Table;
use EmptyEntity;
use ReadableValueSet;
let aws = from_default?;
let mut groups: = new;
groups.add_condition;
let rows = groups.list_values.await?;
That's a CloudWatch DescribeLogGroups call, filtered by prefix. The
condition folds into the JSON request body; the response array gets
parsed into Record<CborValue> rows.
Anatomy of a table name
"logGroups:logs/Logs_20140328.DescribeLogGroups"
│ │ └── X-Amz-Target header value
│ └────────── service code (also URL hostname segment)
└────────────────── response field that holds the row array
You only have to write this once per resource — usually you wrap it in a model factory and forget about the encoding (see below).
Built-in CloudWatch models
vantage_aws::models ships two CloudWatch tables ready-made so you
don't have to memorise the table-name format:
use ;
use eq;
let mut groups = log_groups_table;
groups.add_condition;
let rows = groups.list_values.await?;
let mut events = log_events_table;
events.add_condition;
let logs = events.list_values.await?;
log_groups_table registers events as a with_many relation that
traverses to the group's log events. AWS doesn't accept multi-value
filters, so the source has to narrow to a single group before
traversal — otherwise the call errors at execute time.
Conditions
eq folds straight into the JSON request body. AWS APIs only accept
exact-match filters, so that's all you really get:
use eq;
table.add_condition;
Bring AwsOperation into scope to write column.eq(...) instead:
use AwsOperation;
table.add_condition;
In and Deferred are here to make with_one / with_many
traversal work — they must collapse to a single value at execute
time, otherwise the call errors loudly.
Demo CLI
examples/aws-cli.rs exercises the end-to-end machinery:
Output goes through vantage_cli_util::print_table so it exercises
the same Table / TableSource machinery the rest of the framework
uses.
SigV4
No aws-sdk-*, no aws-sigv4 — signing is hand-rolled in src/sign.rs
with hmac + sha2 + hex and pinned to AWS's canonical-example
fixture. Non-streaming, non-presigned, JSON-1.1 only. If you need
something else, you probably want a different crate.
Status
v0 covers: AwsAccount + JSON-1.1 transport, hand-rolled SigV4,
Eq / In / Deferred conditions, with_one / with_many
traversal, two CloudWatch models (LogGroup, LogEvent), env-var and
~/.aws/credentials [default] credential loading.
Out of scope for v0:
- Writes.
insert_table_valueand friends return errors. Read-only end-to-end. - Pagination. First page only. Most JSON-1.1 list operations cap at 50–100 items per call.
- Aggregations.
sum/min/maxerror out — would need a full scan. - REST-JSON / S3. Lambda invoke and S3 are different protocols; they'll arrive as their own crates.
AWS_PROFILE/ SSO / assume-role / IMDS. Static credentials and the[default]profile only.
License
MIT OR Apache-2.0