command module
Version: v0.1.0 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Jul 7, 2020 License: MIT Imports: 5 Imported by: 0



pipeline status coverage report go report Docker Pulls

Easily connect to secured AWS services like Elasticsearch via the aws-signing-proxy. Works both locally and in production.


Many secured AWS services require you to sign your requests via the AWS SDK. Many open source tools do not support this requirement. Additionally this makes it difficult to explore some of the APIs locally via well known tools, such as curl.

The aws-signing-proxy solves this issue, by acting as a forward- or reverse proxy, that will sign all requests passing through with IAM credentials.


Choose one of the following installation options:

Afterwards your are ready to connect to secured services via the proxy.

Forward Proxy Mode

By default aws-signing-proxy will run in forward proxy mode:

❯ ./aws-signing-proxy --service es --region eu-central-1
INFO[0000] listening for incoming requests on localhost:9090 
INFO[0038] proxy request served                          code=200 durationTotalMS=397 method=GET sizeBytes=128 src="" url="" userAgent=curl/7.64.1

The proxy will then sign request with the AWS credentials discovered via the default credential provider chain.

You can now set this proxy in any tool and the requests will get signed automatically:

curl -x http://localhost:9090
green open test      rx8bP2qKTt-O7qvaJQUamA 5 1 0 0 2.7kb 1.3kb

To increase the usability, you can also simply set the http_proxy environment variable via export http_proxy=http://localhost:9090 and use supported tools like curl as usual.

⚠️ keep in mind that while aws-signing-proxy only handles incoming plain HTTP calls, it will always connect to the outside via HTTPS / TLS by default. Check the CLI options for more details.

Reverse Proxy Mode

When specifying a --target option, aws-signing-proxy operates in reverse-proxy mode.

In this mode, all requests directed at the proxy will get proxied to the specified target. This can be useful for certain tools that do not support the usual HTTP_PROXY environment variables, or configuring forward proxies in general.

./aws-signing-proxy --target https//
INFO[0000] listening for incoming requests on localhost:9090 
INFO[0000] running in [reverse proxy mode], as --target https// configured, 
INFO[0005] proxy request served                          code=200 durationTotalMS=413 host="localhost:9090" method=GET sizeBytes=94 src="" url=/_cat/health userAgent=curl/7.64.1

You can now send requests directly to the proxy and the requests will get proxies transparently to the target:

curl localhost:9090/_cat/health           
1594150363 19:32:43 810640839231:test green 2 2 true 12 6 0 0 0 0 - 100.0%
Installing via Homebrew

aws-signing-proxy can be installed via Homebrew on MacOS via these simple steps:

brew tap msvechla/aws-signing-proxy
brew install msvechla/aws-signing-proxy/aws-signing-proxy
Running in Docker

You can run aws-signing-proxy in Docker as well, by either mounting your AWS credentials or exposing the AWS environment variables:

  • mounting AWS credentials:
docker run -it -v $HOME/.aws/credentials:/home/app/.aws/credentials -p 9090:9090 msvechla/aws-signing-proxy --host  --service es --region eu-central-1
curl -x http://localhost:9090
  • using environment variables:
docker run -it -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -p 9090:9090 msvechla/aws-signing-proxy --host  --service es --region eu-central-1
curl -x http://localhost:9090
Building from Source

The latest release can be built from source by following these instructions:

git clone
cd aws-signing-proxy
go build .

Configuration Options

aws-signing-proxy has the following configuration options:

   --host value                 host the proxy should listen on (default: "localhost") [$HOST]
   --port value                 port the proxy should listen on (default: 9090) [$PORT]
   --service value              AWS service the requests should be signed for (default: "es") [$SERVICE]
   --target value               if set, aws-signing-proxy will act as a reverse proxy and rewrite requests to the specified target in the form of: proto://host:port [$TARGET]
   --region value               AWS region the requests should be signed for (default: "eu-central-1") [$REGION]
   --disable-https-rewrite      when set, disables the default behaviour of the proxy to re-write every http request to https before connecting to the target (default: false) [$DISABLE_HTTPS_REWRITE]
   --disable-credentials-check  when set, disables the verification of the supplied AWS credentials during startup (default: false) [$DISABLE_CREDENTIALS_CHECK]
   --help, -h                   show help (default: false)
   --version, -v                print the version (default: false)


Please read for details on our code of conduct, and the process for submitting pull requests to us.


We use SemVer for versioning. For the versions available, see the tags on this repository or take a look at the


  • Marius Svechla - Initial work

See also the list of contributors who participated in this project.


MIT License
Copyright (c) 2020 Marius Svechla


The Go Gopher

There is no documentation for this package.

Source Files


Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
t or T : Toggle theme light dark auto
y or Y : Canonical URL