aws_request_signingv3

package
v1.36.10-2025120520573... Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: unknown License: Apache-2.0 Imports: 9 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	AwsRequestSigning_SigningAlgorithm_name = map[int32]string{
		0: "AWS_SIGV4",
		1: "AWS_SIGV4A",
	}
	AwsRequestSigning_SigningAlgorithm_value = map[string]int32{
		"AWS_SIGV4":  0,
		"AWS_SIGV4A": 1,
	}
)

Enum value maps for AwsRequestSigning_SigningAlgorithm.

View Source 
var File_envoy_extensions_filters_http_aws_request_signing_v3_aws_request_signing_proto protoreflect.FileDescriptor

Functions

This section is empty.

Types

type AwsRequestSigning 

type AwsRequestSigning struct {

	// The `service namespace
	// <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#genref-aws-service-namespaces>`_
	// of the HTTP endpoint.
	//
	// Example: s3
	ServiceName string `protobuf:"bytes,1,opt,name=service_name,json=serviceName,proto3" json:"service_name,omitempty"`
	// Optional region string. If region is not provided, the region will be retrieved from the environment
	// or AWS configuration files. See :ref:`config_http_filters_aws_request_signing_region` for more details.
	//
	// When signing_algorithm is set to “AWS_SIGV4“ the region is a standard AWS `region <https://docs.aws.amazon.com/general/latest/gr/rande.html>`_ string for the service
	// hosting the HTTP endpoint.
	//
	// Example: us-west-2
	//
	// When signing_algorithm is set to “AWS_SIGV4A“ the region is used as a region set.
	//
	// A region set is a comma separated list of AWS regions, such as “us-east-1,us-east-2“ or wildcard “*“
	// or even region strings containing wildcards such as “us-east-*“
	//
	// Example: '*'
	//
	// By configuring a region set, a SigV4A signed request can be sent to multiple regions, rather than being
	// valid for only a single region destination.
	Region string `protobuf:"bytes,2,opt,name=region,proto3" json:"region,omitempty"`
	// Indicates that before signing headers, the host header will be swapped with
	// this value. If not set or empty, the original host header value
	// will be used and no rewrite will happen.
	//
	// Note: this rewrite affects both signing and host header forwarding. However, this
	// option shouldn't be used with
	// :ref:`HCM host rewrite <envoy_v3_api_field_config.route.v3.RouteAction.host_rewrite_literal>` given that the
	// value set here would be used for signing whereas the value set in the HCM would be used
	// for host header forwarding which is not the desired outcome.
	HostRewrite string `protobuf:"bytes,3,opt,name=host_rewrite,json=hostRewrite,proto3" json:"host_rewrite,omitempty"`
	// Instead of buffering the request to calculate the payload hash, use the literal string “UNSIGNED-PAYLOAD“
	// to calculate the payload hash. Not all services support this option. See the `S3
	// <https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html>`_ policy for details.
	UseUnsignedPayload bool `protobuf:"varint,4,opt,name=use_unsigned_payload,json=useUnsignedPayload,proto3" json:"use_unsigned_payload,omitempty"`
	// A list of request header string matchers that will be excluded from signing. The excluded header can be matched by
	// any patterns defined in the StringMatcher proto (e.g. exact string, prefix, regex, etc).
	//
	// Example:
	// match_excluded_headers:
	// - prefix: x-envoy
	// - exact: foo
	// - exact: bar
	// When applied, all headers that start with "x-envoy" and headers "foo" and "bar" will not be signed.
	MatchExcludedHeaders []*v3.StringMatcher `protobuf:"bytes,5,rep,name=match_excluded_headers,json=matchExcludedHeaders,proto3" json:"match_excluded_headers,omitempty"`
	// Optional Signing algorithm specifier, either “AWS_SIGV4“ or “AWS_SIGV4A“, defaulting to “AWS_SIGV4“.
	SigningAlgorithm AwsRequestSigning_SigningAlgorithm `` /* 203-byte string literal not displayed */
	// If set, use the query string to store output of SigV4 or SigV4A calculation, rather than HTTP headers. The “Authorization“ header will not be modified if “query_string“
	// is configured.
	//
	// Example:
	// query_string: {}
	QueryString *AwsRequestSigning_QueryString `protobuf:"bytes,7,opt,name=query_string,json=queryString,proto3" json:"query_string,omitempty"`
	// The credential provider for signing the request. This is optional and if not set,
	// it will be retrieved using the procedure described in :ref:`config_http_filters_aws_request_signing`.
	CredentialProvider *v31.AwsCredentialProvider `protobuf:"bytes,8,opt,name=credential_provider,json=credentialProvider,proto3" json:"credential_provider,omitempty"`
	// contains filtered or unexported fields
}

Top level configuration for the AWS request signing filter. [#next-free-field: 9]

func (*AwsRequestSigning) ClearCredentialProvider 

func (x *AwsRequestSigning) ClearCredentialProvider()

func (*AwsRequestSigning) ClearQueryString 

func (x *AwsRequestSigning) ClearQueryString()

func (*AwsRequestSigning) GetCredentialProvider 

func (x *AwsRequestSigning) GetCredentialProvider() *v31.AwsCredentialProvider

func (*AwsRequestSigning) GetHostRewrite 

func (x *AwsRequestSigning) GetHostRewrite() string

func (*AwsRequestSigning) GetMatchExcludedHeaders 

func (x *AwsRequestSigning) GetMatchExcludedHeaders() []*v3.StringMatcher

func (*AwsRequestSigning) GetQueryString 

func (x *AwsRequestSigning) GetQueryString() *AwsRequestSigning_QueryString

func (*AwsRequestSigning) GetRegion 

func (x *AwsRequestSigning) GetRegion() string

func (*AwsRequestSigning) GetServiceName 

func (x *AwsRequestSigning) GetServiceName() string

func (*AwsRequestSigning) GetSigningAlgorithm 

func (x *AwsRequestSigning) GetSigningAlgorithm() AwsRequestSigning_SigningAlgorithm

func (*AwsRequestSigning) GetUseUnsignedPayload 

func (x *AwsRequestSigning) GetUseUnsignedPayload() bool

func (*AwsRequestSigning) HasCredentialProvider 

func (x *AwsRequestSigning) HasCredentialProvider() bool

func (*AwsRequestSigning) HasQueryString 

func (x *AwsRequestSigning) HasQueryString() bool

func (*AwsRequestSigning) ProtoMessage 

func (*AwsRequestSigning) ProtoMessage()

func (*AwsRequestSigning) ProtoReflect 

func (x *AwsRequestSigning) ProtoReflect() protoreflect.Message

func (*AwsRequestSigning) Reset 

func (x *AwsRequestSigning) Reset()

func (*AwsRequestSigning) SetCredentialProvider 

func (x *AwsRequestSigning) SetCredentialProvider(v *v31.AwsCredentialProvider)

func (*AwsRequestSigning) SetHostRewrite 

func (x *AwsRequestSigning) SetHostRewrite(v string)

func (*AwsRequestSigning) SetMatchExcludedHeaders 

func (x *AwsRequestSigning) SetMatchExcludedHeaders(v []*v3.StringMatcher)

func (*AwsRequestSigning) SetQueryString 

func (x *AwsRequestSigning) SetQueryString(v *AwsRequestSigning_QueryString)

func (*AwsRequestSigning) SetRegion 

func (x *AwsRequestSigning) SetRegion(v string)

func (*AwsRequestSigning) SetServiceName 

func (x *AwsRequestSigning) SetServiceName(v string)

func (*AwsRequestSigning) SetSigningAlgorithm 

func (x *AwsRequestSigning) SetSigningAlgorithm(v AwsRequestSigning_SigningAlgorithm)

func (*AwsRequestSigning) SetUseUnsignedPayload 

func (x *AwsRequestSigning) SetUseUnsignedPayload(v bool)

func (*AwsRequestSigning) String 

func (x *AwsRequestSigning) String() string

type AwsRequestSigningPerRoute 

type AwsRequestSigningPerRoute struct {

	// Override the global configuration of the filter with this new config.
	// This overrides the entire message of AwsRequestSigning and not at field level.
	AwsRequestSigning *AwsRequestSigning `protobuf:"bytes,1,opt,name=aws_request_signing,json=awsRequestSigning,proto3" json:"aws_request_signing,omitempty"`
	// The human readable prefix to use when emitting stats.
	StatPrefix string `protobuf:"bytes,2,opt,name=stat_prefix,json=statPrefix,proto3" json:"stat_prefix,omitempty"`
	// contains filtered or unexported fields
}

func (*AwsRequestSigningPerRoute) ClearAwsRequestSigning 

func (x *AwsRequestSigningPerRoute) ClearAwsRequestSigning()

func (*AwsRequestSigningPerRoute) GetAwsRequestSigning 

func (x *AwsRequestSigningPerRoute) GetAwsRequestSigning() *AwsRequestSigning

func (*AwsRequestSigningPerRoute) GetStatPrefix 

func (x *AwsRequestSigningPerRoute) GetStatPrefix() string

func (*AwsRequestSigningPerRoute) HasAwsRequestSigning 

func (x *AwsRequestSigningPerRoute) HasAwsRequestSigning() bool

func (*AwsRequestSigningPerRoute) ProtoMessage 

func (*AwsRequestSigningPerRoute) ProtoMessage()

func (*AwsRequestSigningPerRoute) ProtoReflect 

func (x *AwsRequestSigningPerRoute) ProtoReflect() protoreflect.Message

func (*AwsRequestSigningPerRoute) Reset 

func (x *AwsRequestSigningPerRoute) Reset()

func (*AwsRequestSigningPerRoute) SetAwsRequestSigning 

func (x *AwsRequestSigningPerRoute) SetAwsRequestSigning(v *AwsRequestSigning)

func (*AwsRequestSigningPerRoute) SetStatPrefix 

func (x *AwsRequestSigningPerRoute) SetStatPrefix(v string)

func (*AwsRequestSigningPerRoute) String 

func (x *AwsRequestSigningPerRoute) String() string

type AwsRequestSigningPerRoute_builder 

type AwsRequestSigningPerRoute_builder struct {

	// Override the global configuration of the filter with this new config.
	// This overrides the entire message of AwsRequestSigning and not at field level.
	AwsRequestSigning *AwsRequestSigning
	// The human readable prefix to use when emitting stats.
	StatPrefix string
	// contains filtered or unexported fields
}

func (AwsRequestSigningPerRoute_builder) Build 

func (b0 AwsRequestSigningPerRoute_builder) Build() *AwsRequestSigningPerRoute

type AwsRequestSigning_QueryString 

type AwsRequestSigning_QueryString struct {

	// Optional expiration time for the query string parameters. As query string parameter based requests are replayable, in effect representing
	// an API call that has already been authenticated, it is recommended to keep this expiration time as short as feasible.
	// This value will default to 5 seconds and has a maximum value of 3600 seconds (1 hour).
	ExpirationTime *durationpb.Duration `protobuf:"bytes,1,opt,name=expiration_time,json=expirationTime,proto3" json:"expiration_time,omitempty"`
	// contains filtered or unexported fields
}

func (*AwsRequestSigning_QueryString) ClearExpirationTime 

func (x *AwsRequestSigning_QueryString) ClearExpirationTime()

func (*AwsRequestSigning_QueryString) GetExpirationTime 

func (x *AwsRequestSigning_QueryString) GetExpirationTime() *durationpb.Duration

func (*AwsRequestSigning_QueryString) HasExpirationTime 

func (x *AwsRequestSigning_QueryString) HasExpirationTime() bool

func (*AwsRequestSigning_QueryString) ProtoMessage 

func (*AwsRequestSigning_QueryString) ProtoMessage()

func (*AwsRequestSigning_QueryString) ProtoReflect 

func (x *AwsRequestSigning_QueryString) ProtoReflect() protoreflect.Message

func (*AwsRequestSigning_QueryString) Reset 

func (x *AwsRequestSigning_QueryString) Reset()

func (*AwsRequestSigning_QueryString) SetExpirationTime 

func (x *AwsRequestSigning_QueryString) SetExpirationTime(v *durationpb.Duration)

func (*AwsRequestSigning_QueryString) String 

func (x *AwsRequestSigning_QueryString) String() string

type AwsRequestSigning_QueryString_builder 

type AwsRequestSigning_QueryString_builder struct {

	// Optional expiration time for the query string parameters. As query string parameter based requests are replayable, in effect representing
	// an API call that has already been authenticated, it is recommended to keep this expiration time as short as feasible.
	// This value will default to 5 seconds and has a maximum value of 3600 seconds (1 hour).
	ExpirationTime *durationpb.Duration
	// contains filtered or unexported fields
}

func (AwsRequestSigning_QueryString_builder) Build 

func (b0 AwsRequestSigning_QueryString_builder) Build() *AwsRequestSigning_QueryString

type AwsRequestSigning_SigningAlgorithm 

type AwsRequestSigning_SigningAlgorithm int32
const (
	// Use SigV4 for signing
	AwsRequestSigning_AWS_SIGV4 AwsRequestSigning_SigningAlgorithm = 0
	// Use SigV4A for signing
	AwsRequestSigning_AWS_SIGV4A AwsRequestSigning_SigningAlgorithm = 1
)

func (AwsRequestSigning_SigningAlgorithm) Descriptor 

func (AwsRequestSigning_SigningAlgorithm) Descriptor() protoreflect.EnumDescriptor

func (AwsRequestSigning_SigningAlgorithm) Enum 

func (x AwsRequestSigning_SigningAlgorithm) Enum() *AwsRequestSigning_SigningAlgorithm

func (AwsRequestSigning_SigningAlgorithm) Number 

func (x AwsRequestSigning_SigningAlgorithm) Number() protoreflect.EnumNumber

func (AwsRequestSigning_SigningAlgorithm) String 

func (x AwsRequestSigning_SigningAlgorithm) String() string

func (AwsRequestSigning_SigningAlgorithm) Type 

func (AwsRequestSigning_SigningAlgorithm) Type() protoreflect.EnumType

type AwsRequestSigning_builder 

type AwsRequestSigning_builder struct {

	// The `service namespace
	// <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#genref-aws-service-namespaces>`_
	// of the HTTP endpoint.
	//
	// Example: s3
	ServiceName string
	// Optional region string. If region is not provided, the region will be retrieved from the environment
	// or AWS configuration files. See :ref:`config_http_filters_aws_request_signing_region` for more details.
	//
	// When signing_algorithm is set to “AWS_SIGV4“ the region is a standard AWS `region <https://docs.aws.amazon.com/general/latest/gr/rande.html>`_ string for the service
	// hosting the HTTP endpoint.
	//
	// Example: us-west-2
	//
	// When signing_algorithm is set to “AWS_SIGV4A“ the region is used as a region set.
	//
	// A region set is a comma separated list of AWS regions, such as “us-east-1,us-east-2“ or wildcard “*“
	// or even region strings containing wildcards such as “us-east-*“
	//
	// Example: '*'
	//
	// By configuring a region set, a SigV4A signed request can be sent to multiple regions, rather than being
	// valid for only a single region destination.
	Region string
	// Indicates that before signing headers, the host header will be swapped with
	// this value. If not set or empty, the original host header value
	// will be used and no rewrite will happen.
	//
	// Note: this rewrite affects both signing and host header forwarding. However, this
	// option shouldn't be used with
	// :ref:`HCM host rewrite <envoy_v3_api_field_config.route.v3.RouteAction.host_rewrite_literal>` given that the
	// value set here would be used for signing whereas the value set in the HCM would be used
	// for host header forwarding which is not the desired outcome.
	HostRewrite string
	// Instead of buffering the request to calculate the payload hash, use the literal string “UNSIGNED-PAYLOAD“
	// to calculate the payload hash. Not all services support this option. See the `S3
	// <https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html>`_ policy for details.
	UseUnsignedPayload bool
	// A list of request header string matchers that will be excluded from signing. The excluded header can be matched by
	// any patterns defined in the StringMatcher proto (e.g. exact string, prefix, regex, etc).
	//
	// Example:
	// match_excluded_headers:
	// - prefix: x-envoy
	// - exact: foo
	// - exact: bar
	// When applied, all headers that start with "x-envoy" and headers "foo" and "bar" will not be signed.
	MatchExcludedHeaders []*v3.StringMatcher
	// Optional Signing algorithm specifier, either “AWS_SIGV4“ or “AWS_SIGV4A“, defaulting to “AWS_SIGV4“.
	SigningAlgorithm AwsRequestSigning_SigningAlgorithm
	// If set, use the query string to store output of SigV4 or SigV4A calculation, rather than HTTP headers. The “Authorization“ header will not be modified if “query_string“
	// is configured.
	//
	// Example:
	// query_string: {}
	QueryString *AwsRequestSigning_QueryString
	// The credential provider for signing the request. This is optional and if not set,
	// it will be retrieved using the procedure described in :ref:`config_http_filters_aws_request_signing`.
	CredentialProvider *v31.AwsCredentialProvider
	// contains filtered or unexported fields
}

func (AwsRequestSigning_builder) Build 

func (b0 AwsRequestSigning_builder) Build() *AwsRequestSigning

Source Files

  • aws_request_signing.pb.go

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.