awsauth

package module
v0.0.0-...-e222847 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 23, 2018 License: MIT Imports: 19 Imported by: 0

README

go-aws-auth

GoDoc

Go-AWS-Auth is a comprehensive, lightweight library for signing requests to Amazon Web Services.

It's easy to use: simply build your HTTP request and call awsauth.Sign(req) before sending your request over the wire.

Supported signing mechanisms

For more info about AWS authentication, see the comprehensive docs at AWS.

Install

Go get it:

$ go get github.com/opencoff/go-aws-auth

Then import it:

import "github.com/opencoff/go-aws-auth"
Using your AWS Credentials

The library looks for credentials in this order:

  1. Hard-code: You can manually pass in an instance of awsauth.Credentials to any call to a signing function as a second argument:

    awsauth.Sign(req, awsauth.Credentials{
	AccessKeyID: "Access Key ID", 
	SecretAccessKey: "Secret Access Key",
	SecurityToken: "Security Token",	// STS (optional)
})

  2. Environment variables: Set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables with your credentials. The library will automatically detect and use them. Optionally, you may also set the AWS_SECURITY_TOKEN environment variable if you are using temporary credentials from STS.

  3. IAM Role: If running on EC2 and the credentials are neither hard-coded nor in the environment, go-aws-auth will detect the first IAM role assigned to the current EC2 instance and use those credentials.

(Be especially careful hard-coding credentials into your application if the code is committed to source control.)

Signing requests

Just make the request, have it signed, and perform the request as you normally would.

url := "https://iam.amazonaws.com/?Action=ListRoles&Version=2010-05-08"
client := new(http.Client)

req, err := http.NewRequest("GET", url, nil)

awsauth.Sign(req)  // Automatically chooses the best signing mechanism for the service

resp, err := client.Do(req)
Pre-Signing URLs

Prepare information required for the presigned URL and call SignURL():


presign := &Presign{
            Method: "GET",
            SignedHeaders: make(http.Header),
            ContentSHA256: "",
            Date: time.Now().UTC(),
            Expires: 86400 * time.Second,
}

u := &url.URL{
        Host: "mybucket.s3.amazonaws.com",
        Path: "/folder/object.txt",
        Scheme: "https",
}

    u, sign := awsauth.SignURL(presign, u, awsauth.Credential{
                        AccessKeyID: "my Access key id",
                        SecretAccessKey: "my secret access key",
    })

    // use u.Encode() as the pre-signed URL.

You can use Sign to have the library choose the best signing algorithm depending on the service, or you can specify it manually if you know what you need:

  • Sign2
  • Sign3
  • Sign4
  • SignS3 (deprecated for Sign4)
  • SignS3Url (for pre-signed S3 URLs; GETs only)
Contributing

Please feel free to contribute! Bug fixes are more than welcome any time, as long as tests assert correct behavior. If you'd like to change an existing implementation or see a new feature, open an issue first so we can discuss it. Thanks to all contributors!

Documentation

Overview

Package awsauth implements AWS request signing using Signed Signature Version 2, Signed Signature Version 3, and Signed Signature Version 4. Supports S3 and STS.

sign4url.go - AWS V4 Presigned URL

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Sign 

func Sign(request *http.Request, credentials ...Credentials) *http.Request

Sign signs a request bound for AWS. It automatically chooses the best authentication scheme based on the service the request is going to.

func Sign2 

func Sign2(request *http.Request, credentials ...Credentials) *http.Request

Sign2 signs a request with Signed Signature Version 2. If the service you're accessing supports Version 4, use that instead.

func Sign3 

func Sign3(request *http.Request, credentials ...Credentials) *http.Request

Sign3 signs a request with Signed Signature Version 3. If the service you're accessing supports Version 4, use that instead.

func Sign4 

func Sign4(request *http.Request, credentials ...Credentials) *http.Request

Sign4 signs a request with Signed Signature Version 4.

func Sign4URL 

func Sign4URL(ps *Presign, u *url.URL, c ...Credentials) (*url.URL, string)

Sign4URL pre-signs a URL with signature version 4

func SignS3 

func SignS3(request *http.Request, credentials ...Credentials) *http.Request

SignS3 signs a request bound for Amazon S3 using their custom HTTP authentication scheme.

func SignS3Url 

func SignS3Url(request *http.Request, expire time.Time, credentials ...Credentials) *http.Request

SignS3Url signs a GET request for a resource on Amazon S3 by appending query string parameters containing credentials and signature. You must specify an expiration date for these signed requests. After that date, a request signed with this method will be rejected by S3.

func SignURL 

func SignURL(ps *Presign, u *url.URL, c ...Credentials) (*url.URL, string)

SignURL pre-signs a URL with version 4 scheme and returns a new URL

Types

type Credentials 

type Credentials struct {
	AccessKeyID     string
	SecretAccessKey string
	SecurityToken   string `json:"Token"`
	Expiration      time.Time
}

Credentials stores the information necessary to authorize with AWS and it is from this information that requests are signed.

type Presign 

type Presign struct {
	Method        string
	SignedHeaders http.Header
	ContentSHA256 string
	Date          time.Time
	Expires       time.Duration
}

Presign provides information necessary to pre-sign URLs with version 4 scheme

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.