reqsign_aws_v4/lib.rs
1// Licensed to the Apache Software Foundation (ASF) under one
2// or more contributor license agreements. See the NOTICE file
3// distributed with this work for additional information
4// regarding copyright ownership. The ASF licenses this file
5// to you under the Apache License, Version 2.0 (the
6// "License"); you may not use this file except in compliance
7// with the License. You may obtain a copy of the License at
8//
9// http://www.apache.org/licenses/LICENSE-2.0
10//
11// Unless required by applicable law or agreed to in writing,
12// software distributed under the License is distributed on an
13// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
14// KIND, either express or implied. See the License for the
15// specific language governing permissions and limitations
16// under the License.
17
18//! AWS SigV4 signing implementation for reqsign.
19//!
20//! This crate provides AWS Signature Version 4 (SigV4) signing capabilities
21//! for authenticating requests to AWS services like S3, DynamoDB, Lambda, and more.
22//!
23//! ## Overview
24//!
25//! AWS SigV4 is the authentication protocol used by most AWS services. This crate
26//! implements the complete signing algorithm along with credential loading from
27//! various sources including environment variables, credential files, IAM roles,
28//! and more.
29//!
30//! ## Quick Start
31//!
32//! ```no_run
33//! use reqsign_aws_v4::{RequestSigner, DefaultCredentialProvider};
34//! use reqsign_core::{Context, Signer};
35//! use reqsign_file_read_tokio::TokioFileRead;
36//! use reqsign_http_send_reqwest::ReqwestHttpSend;
37//!
38//! #[tokio::main]
39//! async fn main() -> Result<(), Box<dyn std::error::Error>> {
40//! // Create context
41//! let ctx = Context::new()
42//! .with_file_read(TokioFileRead::default())
43//! .with_http_send(ReqwestHttpSend::default());
44//!
45//! // Create credential loader
46//! let loader = DefaultCredentialProvider::new();
47//!
48//! // Create request builder for S3
49//! let builder = RequestSigner::new("s3", "us-east-1");
50//!
51//! // Create the signer
52//! let signer = Signer::new(ctx, loader, builder);
53//!
54//! // Sign requests
55//! let mut req = http::Request::get("https://s3.amazonaws.com/mybucket/mykey")
56//! .body(())
57//! .unwrap()
58//! .into_parts()
59//! .0;
60//!
61//! signer.sign(&mut req, None).await?;
62//! Ok(())
63//! }
64//! ```
65//!
66//! ## Credential Sources
67//!
68//! The crate supports loading credentials from multiple sources:
69//!
70//! 1. **Environment Variables**: `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`
71//! 2. **Credential File**: `~/.aws/credentials`
72//! 3. **IAM Roles**: For EC2 instances and ECS tasks
73//! 4. **AssumeRole**: Via STS AssumeRole operations
74//! 5. **WebIdentity**: For Kubernetes service accounts
75//! 6. **SSO**: AWS SSO credentials
76//!
77//! ## Supported Services
78//!
79//! This implementation works with any AWS service that uses SigV4:
80//!
81//! - Amazon S3
82//! - Amazon DynamoDB
83//! - AWS Lambda
84//! - Amazon SQS
85//! - Amazon SNS
86//! - And many more...
87//!
88//! ## Advanced Configuration
89//!
90//! ### Using Custom Credential Providers
91//!
92//! ```no_run
93//! use reqsign_aws_v4::{EnvCredentialProvider, ProfileCredentialProvider};
94//! use reqsign_core::ProvideCredentialChain;
95//!
96//! // Create a custom credential chain
97//! let chain = ProvideCredentialChain::new()
98//! .push(EnvCredentialProvider::new())
99//! .push(ProfileCredentialProvider::new()
100//! .with_profile("production"));
101//! ```
102//!
103//! ### Custom Credential Provider
104//!
105//! You can create custom credential providers by implementing the `ProvideCredential` trait:
106//!
107//! ```no_run
108//! use reqsign_core::{ProvideCredential, Context, Result};
109//! use async_trait::async_trait;
110//!
111//! # #[derive(Debug)]
112//! # struct MyCredentialProvider;
113//! # type Credential = reqsign_aws_v4::Credential;
114//! #[async_trait]
115//! impl ProvideCredential for MyCredentialProvider {
116//! type Credential = Credential;
117//!
118//! async fn provide_credential(&self, ctx: &Context) -> Result<Option<Self::Credential>> {
119//! // Your custom credential loading logic
120//! Ok(None)
121//! }
122//! }
123//! ```
124//!
125//! ## Examples
126//!
127//! Check out the examples directory for more detailed usage:
128//! - [S3 signing example](examples/s3_sign.rs)
129//! - [DynamoDB signing example](examples/dynamodb_sign.rs)
130
131mod constants;
132
133mod credential;
134pub use credential::Credential;
135mod sign_request;
136pub use sign_request::RequestSigner;
137mod provide_credential;
138pub use provide_credential::*;
139
140pub const EMPTY_STRING_SHA256: &str =
141 "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855";