-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Public API for URL signing? #999
Comments
Thanks for the question. Can you share more information about the specific SDK operation you're trying to create a presigned URL for? You're correct that we don't expose pre-signing capabilities and instead generate them for a few specific services. We may be able to add it for API Gateway depending on the use case. |
My usecase is I believe very similar to the SO answer. I want to sign a In my case it will be from the JVM most likely using OKHttp as the client implementation. Current best looking workaround I think will be using the |
Hi and sorry for the delay in our response. This is already somewhat possible with the Kotlin SDK, here is an example. You will need to val signer = DefaultAwsSigner
val parsedUrl = Url.parse("wss://$API_ID.execute-api.$REGION.amazonaws.com/$STAGE")
val req = HttpRequest(method = HttpMethod.GET, url = parsedUrl)
val credentialsProvider = // your AWS credentials provider
val signingConfig = AwsSigningConfig {
algorithm = AwsSigningAlgorithm.SIGV4
signatureType = AwsSignatureType.HTTP_REQUEST_VIA_QUERY_PARAMS
credentials = credentialsProvider.resolve()
region = "us-west-2"
service = "execute-api"
}
val signedUrl = signer.sign(req, signingConfig).output.url
// use signedUrl as needed... What sort of things would you like to see changed to make it easier to sign URLs? |
There are a few AWS services, such as Lambda function URLs, that aren't an AWS SDK call - they're an HTTPS endpoint that requires Sigv4 for AWS_IAM auth. Struggling to see how to use the Kotlin AWS SDK for this - it isn't a general-purpose "HTTP Client". Its often preferable to use other Http clients to make those REST/HTTPS/whatever requests (there are many other non-SDK considerations - marshalling request/response payloads, etc) - but the sensitive logic on signing is baked into the SDK code, assumes that the request will be made by the SDK HTTP client. One could, of course, re-implement the signing logic, though that seems fragile and not an effective use of time when it already exists(ish). Perhaps the signing logic could be decoupled from the HttpRequest such that is can be used elsewhere? |
I think After signing, if you don't want to use our SDK's HTTP client to complete the request, you can convert the request to your desired HTTP client's request type. Do you have a different idea of what a decoupled signer would look like? What should it take as input? |
A few thoughts now that we managed to make this work:
A documentation page on patterns for manually signing requests, e.g. lambda function URLs etc, would go a long way here. |
@cloudshiftchris Thanks for the detailed feedback. We've added some backlog tasks to clean up the documentation and improve functionality when using the signer standalone. |
Describe the issue
Currently trying to build an ApiGateway websocket driven app that is using IAM for auth and need a way to sign a
wss
URL in order to connect.Steps to Reproduce
This SO answer gives a good description of what I am wanting to achieve.
Current behavior
All of the signing details are buried in the Smithy SDK as an implementation detail of the things that provide pre-signing options. (IE: S3)
AWS Kotlin SDK version used
0.29.0-beta
Platform (JVM/JS/Native)
JVM
Operating System and version
N/A
The text was updated successfully, but these errors were encountered: