Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

SigV4 sign arbitrary requests

See original GitHub issue

Botocore Sigv4 signs all AWS API Requests. It should expose the ability to sign arbitrary https requests.

API Gateway has an AWS_IAM auth mechanism and this results in needed to sigv4 sign https requests to domains not included in the usual Python SDK. As more databases (like Neptune) offer AWS IAM auth to manage database permissions, this problem will appear more frequently. The current “recommended” approach is to use a random third-party library named “aws-requests-auth” but that library isn’t maintained by AWS and I’d really like to avoid asking new devs to Google “AWS SIgv4 Python”, which returns about a dozen different repos. Should AWS be encouraging people to use 3P libraries for something as important as signing requests?

I propose that botocore expose some functionality to attach SigV4 Auth to any request. I think this can be accomplished by adding a def __call__(self, request) method to the SigV4Auth class and I’d even be willing to implement and test this feature if the botocore team agrees that this feature is needed.

I hacked together a way to perform the signing with the existing functionality, but it’s pretty sloppy and requires building two requests in parallel then stripping the auth bits out of one so that we can send the other.

https://gist.github.com/rhboyd/1e01190a6b27ca4ba817bf272d5a5f9a

Issue Analytics

State:
Created 4 years ago
Reactions:41
Comments:16 (1 by maintainers)

Top GitHub Comments

26reactions

richardhboydcommented, Jul 16, 2020

I’ve discovered a cleaner way to do this lately

import boto3
from botocore.auth import SigV4Auth
from botocore.awsrequest import AWSRequest
import requests

session = boto3.Session()
credentials = session.get_credentials()
creds = credentials.get_frozen_credentials()

def signed_request(method, url, data=None, params=None, headers=None):
    request = AWSRequest(method=method, url=url, data=data, params=params, headers=headers)
    # "service_name" is generally "execute-api" for signing API Gateway requests
    SigV4Auth(creds, "service_name", REGION).add_auth(request)
    return requests.request(method=method, url=url, headers=dict(request.headers), data=data)

def main():
    url = f"my.url.example.com/path"
    data = {"environmentId": self._environment_id}
    headers = {'Content-Type': 'application/x-amz-json-1.1'}
    response = signed_request(method='POST', url=url, data=data, headers=headers)

if __name__ == "__main__":
    main()

9reactions

benkehoecommented, Jul 17, 2019

In my ideal world, this is available on the Session object, so I could do something like session = botocore.Session(); response = requests.get(url, auth=session.signer(service='execute-api')) or something similar. And then also made available on the boto3 Session object, so I don’t have to muck about getting the botocore session out of it.