Expand description
AWS SigV4 signing implementation for reqsign.
This crate provides AWS Signature Version 4 (SigV4) signing capabilities for authenticating requests to AWS services like S3, DynamoDB, Lambda, and more.
§Overview
AWS SigV4 is the authentication protocol used by most AWS services. This crate implements the complete signing algorithm along with credential loading from various sources including environment variables, credential files, IAM roles, and more.
§Quick Start
use reqsign_aws_v4::{RequestSigner, DefaultCredentialProvider};
use reqsign_core::{Context, Signer};
use reqsign_file_read_tokio::TokioFileRead;
use reqsign_http_send_reqwest::ReqwestHttpSend;
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
// Create context
let ctx = Context::new()
.with_file_read(TokioFileRead::default())
.with_http_send(ReqwestHttpSend::default());
// Create credential loader
let loader = DefaultCredentialProvider::new();
// Create request builder for S3
let builder = RequestSigner::new("s3", "us-east-1");
// Create the signer
let signer = Signer::new(ctx, loader, builder);
// Sign requests
let mut req = http::Request::get("https://s3.amazonaws.com/mybucket/mykey")
.body(())
.unwrap()
.into_parts()
.0;
signer.sign(&mut req, None).await?;
Ok(())
}§Credential Sources
The crate supports loading credentials from multiple sources:
- Environment Variables:
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEY - Credential File:
~/.aws/credentials - IAM Roles: For EC2 instances and ECS tasks
- AssumeRole: Via STS AssumeRole operations
- WebIdentity: For Kubernetes service accounts
- SSO: AWS SSO credentials
§Supported Services
This implementation works with any AWS service that uses SigV4:
- Amazon S3
- Amazon DynamoDB
- AWS Lambda
- Amazon SQS
- Amazon SNS
- And many more…
§Advanced Configuration
§Using Custom Credential Providers
use reqsign_aws_v4::{EnvCredentialProvider, ProfileCredentialProvider};
use reqsign_core::ProvideCredentialChain;
// Create a custom credential chain
let chain = ProvideCredentialChain::new()
.push(EnvCredentialProvider::new())
.push(ProfileCredentialProvider::new()
.with_profile("production"));§Custom Credential Provider
You can create custom credential providers by implementing the ProvideCredential trait:
use reqsign_core::{ProvideCredential, Context, Result};
use async_trait::async_trait;
#[async_trait]
impl ProvideCredential for MyCredentialProvider {
type Credential = Credential;
async fn provide_credential(&self, ctx: &Context) -> Result<Option<Self::Credential>> {
// Your custom credential loading logic
Ok(None)
}
}§Examples
Check out the examples directory for more detailed usage:
Structs§
- Assume
Role Credential Provider - AssumeRoleCredentialProvider will load credential via assume role.
- Assume
Role With WebIdentity Credential Provider - AssumeRoleWithWebIdentityCredentialProvider will load credential via assume role with web identity.
- Cognito
Identity Credential Provider - Cognito Identity Credentials Provider
- Credential
- Credential that holds the access_key and secret_key.
- Default
Credential Provider - DefaultCredentialProvider is a loader that will try to load credential via default chains.
- Default
Credential Provider Builder - Builder for
DefaultCredentialProvider. - ECSCredential
Provider - ECS Task Role Credentials Provider
- EnvCredential
Provider - EnvCredentialProvider loads AWS credentials from environment variables.
- IMDSv2
Credential Provider - Process
Credential Provider - Process Credentials Provider
- Profile
Credential Provider - ProfileCredentialProvider loads AWS credentials from configuration files.
- Request
Signer - RequestSigner that implement AWS SigV4.
- S3Express
Session Provider - S3 Express One Zone session provider that creates session credentials.
- SSOCredential
Provider - SSO Credentials Provider
- Static
Credential Provider - StaticCredentialProvider provides static AWS credentials.