-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SigV4 sign arbitrary requests #1784
Comments
In my ideal world, this is available on the |
@rhboyd -Thank you for your post. I would mark this as a feature request. |
I was surprised to find this wasn't already a feature! This would be hugely beneficial for Edit: I am especially surprised after finding this is a feature of the Go SDK, and in fact it appears all other SDKs support this already. |
I'd also be happy to do implementation work on this, as long so the botocore team is ok with the new |
It could be a new wrapper class with a |
I've discovered a cleaner way to do this lately import boto3
from botocore.auth import SigV4Auth
from botocore.awsrequest import AWSRequest
import requests
session = boto3.Session()
credentials = session.get_credentials()
creds = credentials.get_frozen_credentials()
def signed_request(method, url, data=None, params=None, headers=None):
request = AWSRequest(method=method, url=url, data=data, params=params, headers=headers)
# "service_name" is generally "execute-api" for signing API Gateway requests
SigV4Auth(creds, "service_name", REGION).add_auth(request)
return requests.request(method=method, url=url, headers=dict(request.headers), data=data)
def main():
url = f"my.url.example.com/path"
data = {"environmentId": self._environment_id}
headers = {'Content-Type': 'application/x-amz-json-1.1'}
response = signed_request(method='POST', url=url, data=data, headers=headers)
if __name__ == "__main__":
main() |
Isn't this basically the same thing as your original Gist (I'm assuming @rhboyd and @richardhboyd are the same person... apologies if not), but without calling |
yeah, the request.headers part can also be re-used for websockets that need IAM Auth (Neptune Gremlin connections) and the credentials work in a more environment agnostic way as well. |
@rhboyd can we also pass security token as well? I need to pass assume role credentials along with signed header? |
can you clarify the question a little bit? you can sign requests using the security token as well but you shouldn't have to pass the actual credentials in the header. the credentials should never be sent with a request (only a signature made from the credentials should be sent) |
@richardhboyd thanks for coming back, so when I tried your botocore with AWSRequest and Sig4Vuth approach I was getting that 'code': 'ACCESS_DENIED', 'message': 'User: arn:aws:sts::myrole is not authorized to perform: execute-api:Invoke on resource: soyrcerole /GET/sites with an explicit deny'} I tried second approach where I manually signed the signature using aws documentation(https://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html) its saying security token is invalid 'message': 'The security token included in the request is invalid, so I thought to pass security token and provided signed again, I was getting INVALID_REQUEST The request signature we calculated does not match the signature you provided. Checkyour AWSSecretAccessKey and signingmethod.Consult the service documentation for details.TheCanonical String for this request should have been. and just for FYI, its working on POSTMAN when I'm passing assume role credns. |
the first message meant that the request was signed properly but you didn't have permission to invoke the API. what does the API's resource policy look like? |
I confronted same to use but they have added my lambda exn role in there config, and api resource policy expects credentials need to be added to a header in the request somehow. But the kind of header the request needs is to do with sigv4 signing |
Okay, so there's a few different resources here we need to be clear about.
…-API Gateway API
-API Gateway execution Role (let's call this RoleA)
-Lambda Function Execution Role (RoleB)
-Role the signs requests that are sent to the API (RoleC)
The API Gateway resource policy needs to allow RoleC to "execute-api" for any path in the API that is needed.
RoleA needs permission to invoke the Lambda Function and needs to have a trust policy that lets the API Gateway service assume that role.
On Nov 17, 2021, at 8:14 AM, RahulPATK ***@***.***> wrote:
I confronted same to use but they have added my lambda exn role in there config, and api resource policy expects credentials need to be added to a header in the request somehow. But the kind of header the request needs is to do with sigv4 signing
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#1784 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AN4IKXY6PNMYNKNH3S5NDT3UMOTAJANCNFSM4ID37Q5A>.
Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
-API Gateway API The API Gateway resource policy needs to allow RoleC to "execute-api" for any path in the API that is needed -- need to check RoleA needs permission to invoke the Lambda Function and needs to have a trust policy that lets the API Gateway service assume that role -- Configured |
@richardhboyd its done, issue was with headers, so, first, I manually signed, using aws documentation, https://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html, bingo. |
Botocore Sigv4 signs all AWS API Requests. It should expose the ability to sign arbitrary https requests.
API Gateway has an AWS_IAM auth mechanism and this results in needed to sigv4 sign https requests to domains not included in the usual Python SDK. As more databases (like Neptune) offer AWS IAM auth to manage database permissions, this problem will appear more frequently. The current "recommended" approach is to use a random third-party library named "aws-requests-auth" but that library isn't maintained by AWS and I'd really like to avoid asking new devs to Google "AWS SIgv4 Python", which returns about a dozen different repos. Should AWS be encouraging people to use 3P libraries for something as important as signing requests?
I propose that botocore expose some functionality to attach SigV4 Auth to any request. I think this can be accomplished by adding a
def __call__(self, request)
method to the SigV4Auth class and I'd even be willing to implement and test this feature if the botocore team agrees that this feature is needed.I hacked together a way to perform the signing with the existing functionality, but it's pretty sloppy and requires building two requests in parallel then stripping the auth bits out of one so that we can send the other.
https://gist.github.com/rhboyd/1e01190a6b27ca4ba817bf272d5a5f9a
The text was updated successfully, but these errors were encountered: