|
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183 |
- aws4
- ----
-
- [![Build Status](https://api.travis-ci.org/mhart/aws4.png?branch=master)](https://travis-ci.org/github/mhart/aws4)
-
- A small utility to sign vanilla Node.js http(s) request options using Amazon's
- [AWS Signature Version 4](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html).
-
- If you want to sign and send AWS requests in a modern browser, or an environment like [Cloudflare Workers](https://developers.cloudflare.com/workers/), then check out [aws4fetch](https://github.com/mhart/aws4fetch) – otherwise you can also bundle this library for use [in older browsers](./browser).
-
- The only AWS service that *doesn't* support v4 as of 2020-05-22 is
- [SimpleDB](https://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/SDB_API.html)
- (it only supports [AWS Signature Version 2](https://github.com/mhart/aws2)).
-
- It also provides defaults for a number of core AWS headers and
- request parameters, making it very easy to query AWS services, or
- build out a fully-featured AWS library.
-
- Example
- -------
-
- ```javascript
- var https = require('https')
- var aws4 = require('aws4')
-
- // to illustrate usage, we'll create a utility function to request and pipe to stdout
- function request(opts) { https.request(opts, function(res) { res.pipe(process.stdout) }).end(opts.body || '') }
-
- // aws4 will sign an options object as you'd pass to http.request, with an AWS service and region
- var opts = { host: 'my-bucket.s3.us-west-1.amazonaws.com', path: '/my-object', service: 's3', region: 'us-west-1' }
-
- // aws4.sign() will sign and modify these options, ready to pass to http.request
- aws4.sign(opts, { accessKeyId: '', secretAccessKey: '' })
-
- // or it can get credentials from process.env.AWS_ACCESS_KEY_ID, etc
- aws4.sign(opts)
-
- // for most AWS services, aws4 can figure out the service and region if you pass a host
- opts = { host: 'my-bucket.s3.us-west-1.amazonaws.com', path: '/my-object' }
-
- // usually it will add/modify request headers, but you can also sign the query:
- opts = { host: 'my-bucket.s3.amazonaws.com', path: '/?X-Amz-Expires=12345', signQuery: true }
-
- // and for services with simple hosts, aws4 can infer the host from service and region:
- opts = { service: 'sqs', region: 'us-east-1', path: '/?Action=ListQueues' }
-
- // and if you're using us-east-1, it's the default:
- opts = { service: 'sqs', path: '/?Action=ListQueues' }
-
- aws4.sign(opts)
- console.log(opts)
- /*
- {
- host: 'sqs.us-east-1.amazonaws.com',
- path: '/?Action=ListQueues',
- headers: {
- Host: 'sqs.us-east-1.amazonaws.com',
- 'X-Amz-Date': '20121226T061030Z',
- Authorization: 'AWS4-HMAC-SHA256 Credential=ABCDEF/20121226/us-east-1/sqs/aws4_request, ...'
- }
- }
- */
-
- // we can now use this to query AWS
- request(opts)
- /*
- <?xml version="1.0"?>
- <ListQueuesResponse xmlns="https://queue.amazonaws.com/doc/2012-11-05/">
- ...
- */
-
- // aws4 can infer the HTTP method if a body is passed in
- // method will be POST and Content-Type: 'application/x-www-form-urlencoded; charset=utf-8'
- request(aws4.sign({ service: 'iam', body: 'Action=ListGroups&Version=2010-05-08' }))
- /*
- <ListGroupsResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
- ...
- */
-
- // you can specify any custom option or header as per usual
- request(aws4.sign({
- service: 'dynamodb',
- region: 'ap-southeast-2',
- method: 'POST',
- path: '/',
- headers: {
- 'Content-Type': 'application/x-amz-json-1.0',
- 'X-Amz-Target': 'DynamoDB_20120810.ListTables'
- },
- body: '{}'
- }))
- /*
- {"TableNames":[]}
- ...
- */
-
- // The raw RequestSigner can be used to generate CodeCommit Git passwords
- var signer = new aws4.RequestSigner({
- service: 'codecommit',
- host: 'git-codecommit.us-east-1.amazonaws.com',
- method: 'GIT',
- path: '/v1/repos/MyAwesomeRepo',
- })
- var password = signer.getDateTime() + 'Z' + signer.signature()
-
- // see example.js for examples with other services
- ```
-
- API
- ---
-
- ### aws4.sign(requestOptions, [credentials])
-
- Calculates and populates any necessary AWS headers and/or request
- options on `requestOptions`. Returns `requestOptions` as a convenience for chaining.
-
- `requestOptions` is an object holding the same options that the Node.js
- [http.request](https://nodejs.org/docs/latest/api/http.html#http_http_request_options_callback)
- function takes.
-
- The following properties of `requestOptions` are used in the signing or
- populated if they don't already exist:
-
- - `hostname` or `host` (will try to be determined from `service` and `region` if not given)
- - `method` (will use `'GET'` if not given or `'POST'` if there is a `body`)
- - `path` (will use `'/'` if not given)
- - `body` (will use `''` if not given)
- - `service` (will try to be calculated from `hostname` or `host` if not given)
- - `region` (will try to be calculated from `hostname` or `host` or use `'us-east-1'` if not given)
- - `signQuery` (to sign the query instead of adding an `Authorization` header, defaults to false)
- - `headers['Host']` (will use `hostname` or `host` or be calculated if not given)
- - `headers['Content-Type']` (will use `'application/x-www-form-urlencoded; charset=utf-8'`
- if not given and there is a `body`)
- - `headers['Date']` (used to calculate the signature date if given, otherwise `new Date` is used)
-
- Your AWS credentials (which can be found in your
- [AWS console](https://portal.aws.amazon.com/gp/aws/securityCredentials))
- can be specified in one of two ways:
-
- - As the second argument, like this:
-
- ```javascript
- aws4.sign(requestOptions, {
- secretAccessKey: "<your-secret-access-key>",
- accessKeyId: "<your-access-key-id>",
- sessionToken: "<your-session-token>"
- })
- ```
-
- - From `process.env`, such as this:
-
- ```
- export AWS_ACCESS_KEY_ID="<your-access-key-id>"
- export AWS_SECRET_ACCESS_KEY="<your-secret-access-key>"
- export AWS_SESSION_TOKEN="<your-session-token>"
- ```
-
- (will also use `AWS_ACCESS_KEY` and `AWS_SECRET_KEY` if available)
-
- The `sessionToken` property and `AWS_SESSION_TOKEN` environment variable are optional for signing
- with [IAM STS temporary credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html).
-
- Installation
- ------------
-
- With [npm](https://www.npmjs.com/) do:
-
- ```
- npm install aws4
- ```
-
- Can also be used [in the browser](./browser).
-
- Thanks
- ------
-
- Thanks to [@jed](https://github.com/jed) for his
- [dynamo-client](https://github.com/jed/dynamo-client) lib where I first
- committed and subsequently extracted this code.
-
- Also thanks to the
- [official Node.js AWS SDK](https://github.com/aws/aws-sdk-js) for giving
- me a start on implementing the v4 signature.
|