Announcement: smithy-go now supports sigv4 and sigv4a #542
Comments
|
Hello @lucix-aws , I'm trying to take this library out for a spin, but the v4a version we require doesn't seem to work with IAM role-chaining, which is a pattern heavily used in my org. We have API Gateways with IAM authorization which require a v4 or v4a signature to work. I notice that if I use the first role in the chain, the request goes through. If I then use that role to assume a different role and then use the resulting credentials with this library, I get the following from my API Gateway. The only notable difference that I've found is that the value of the request header Working Security Token: Non-working Security Token: All other parts of the request (host, path, body, method) are identical. The only difference is the credentials used to sign the request. Both roles have the ability to invoke the api gateway. Would you be able to see if the v4a signatures generated from this library work with credentials obtained by iam role-chaining? |
|
I'm not an IAM/STS expert but my previous understanding was that yes, there are two types of session tokens. IAM docs seem to allude to this being the case. Whether that's indeed the difference you're seeing here, whether that's the cause of the signature failure, or why you'd get different types of tokens across chained roles, I don't know. Looking to confirm internally. |
The 2024-09-25 release of smithy-go introduces a new standalone module, aws-http-auth, which provides APIs for SigV4 and SigV4a signing.
See aws/aws-sdk-go-v2#2812 for more details.
The text was updated successfully, but these errors were encountered: