├── .github └── workflows │ └── pythonpublish.yml ├── .gitignore ├── LICENSE ├── Makefile ├── README.md ├── requests_auth_aws_sigv4 ├── __init__.py └── __main__.py ├── setup.cfg ├── setup.py └── tests ├── __init__.py ├── conftest.py ├── requirements.txt ├── test_init.py └── test_main.py /.github/workflows/pythonpublish.yml: -------------------------------------------------------------------------------- 1 | # This workflows will upload a Python Package using Twine when a release is created 2 | # For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries 3 | 4 | name: Upload Python Package 5 | 6 | on: 7 | release: 8 | types: [created] 9 | 10 | jobs: 11 | deploy: 12 | 13 | runs-on: ubuntu-latest 14 | 15 | steps: 16 | - uses: actions/checkout@v2 17 | - name: Set up Python 18 | uses: actions/setup-python@v1 19 | with: 20 | python-version: '3.x' 21 | - name: Install dependencies 22 | run: | 23 | python -m pip install --upgrade pip 24 | pip install setuptools wheel twine 25 | - name: Build and publish 26 | env: 27 | TWINE_USERNAME: '__token__' 28 | TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }} 29 | run: | 30 | python setup.py sdist bdist_wheel 31 | twine upload dist/* 32 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | build/ 12 | develop-eggs/ 13 | dist/ 14 | downloads/ 15 | eggs/ 16 | .eggs/ 17 | lib/ 18 | lib64/ 19 | parts/ 20 | sdist/ 21 | var/ 22 | wheels/ 23 | pip-wheel-metadata/ 24 | share/python-wheels/ 25 | *.egg-info/ 26 | .installed.cfg 27 | *.egg 28 | MANIFEST 29 | 30 | # PyInstaller 31 | # Usually these files are written by a python script from a template 32 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 33 | *.manifest 34 | *.spec 35 | 36 | # Installer logs 37 | pip-log.txt 38 | pip-delete-this-directory.txt 39 | 40 | # Unit test / coverage reports 41 | htmlcov/ 42 | .tox/ 43 | .nox/ 44 | .coverage 45 | .coverage.* 46 | .cache 47 | nosetests.xml 48 | coverage.xml 49 | *.cover 50 | *.py,cover 51 | .hypothesis/ 52 | .pytest_cache/ 53 | 54 | # Translations 55 | *.mo 56 | *.pot 57 | 58 | # Django stuff: 59 | *.log 60 | local_settings.py 61 | db.sqlite3 62 | db.sqlite3-journal 63 | 64 | # Flask stuff: 65 | instance/ 66 | .webassets-cache 67 | 68 | # Scrapy stuff: 69 | .scrapy 70 | 71 | # Sphinx documentation 72 | docs/_build/ 73 | 74 | # PyBuilder 75 | target/ 76 | 77 | # Jupyter Notebook 78 | .ipynb_checkpoints 79 | 80 | # IPython 81 | profile_default/ 82 | ipython_config.py 83 | 84 | # pyenv 85 | .python-version 86 | 87 | # pipenv 88 | # According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. 89 | # However, in case of collaboration, if having platform-specific dependencies or dependencies 90 | # having no cross-platform support, pipenv may install dependencies that don't work, or not 91 | # install all needed dependencies. 92 | #Pipfile.lock 93 | 94 | # PEP 582; used by e.g. github.com/David-OConnor/pyflow 95 | __pypackages__/ 96 | 97 | # Celery stuff 98 | celerybeat-schedule 99 | celerybeat.pid 100 | 101 | # SageMath parsed files 102 | *.sage.py 103 | 104 | # Environments 105 | .env 106 | .venv 107 | env/ 108 | venv/ 109 | ENV/ 110 | env.bak/ 111 | venv.bak/ 112 | 113 | # Spyder project settings 114 | .spyderproject 115 | .spyproject 116 | 117 | # Rope project settings 118 | .ropeproject 119 | 120 | # mkdocs documentation 121 | /site 122 | 123 | # mypy 124 | .mypy_cache/ 125 | .dmypy.json 126 | dmypy.json 127 | 128 | # Pyre type checker 129 | .pyre/ 130 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: clean 2 | clean: 3 | rm -vrf build/ 4 | rm -vrf dist/ 5 | find . -name *.pyc -delete -print 6 | rm -vrf *.egg-info 7 | rm -vrf */__pycache__ 8 | 9 | .PHONY: build3 10 | build3: 11 | python3 setup.py sdist bdist_wheel 12 | 13 | .PHONY: publish 14 | publish: 15 | pip install twine 16 | twine upload dist/* 17 | 18 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # requests-auth-aws-sigv4 2 | Use AWS signature version 4 Authentication with the python requests module 3 | 4 | This package provides an authentication class that can be used with the popular 5 | [requests](https://requests.readthedocs.io/en/master/) package to add the 6 | [AWS Signature Version 4](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html) 7 | authentication information. 8 | 9 | The signing code is inspired by the python example provided by AWS. 10 | 11 | This package should support any/all AWS API's, including API Gateway API's (execute-api), 12 | Elasticsearch clusters, and others. AWS Credentials may be pulled from the environment 13 | in an easy and familiar way. 14 | The signature is added as a header to the request. 15 | 16 | ## Installation 17 | 18 | ``` 19 | pip install requests-auth-aws-sigv4 20 | ``` 21 | 22 | ## Usage 23 | 24 | ```python 25 | import requests 26 | from requests_auth_aws_sigv4 import AWSSigV4 27 | 28 | r = requests.request('POST', 'https://sts.us-east-1.amazonaws.com', 29 | data=dict(Version='2011-06-15', Action='GetCallerIdentity'), 30 | auth=AWSSigV4('sts')) 31 | print(r.text) 32 | ``` 33 | 34 | If **boto3** is available, it will attempt to use credentials that have been configured for the AWS CLI or SDK's, 35 | as documented in [Boto3 User Guide: Credentials](https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html#credentials). 36 | Otherwise, if **boto3** is not available, credentials must be provided using either environment variables or parameters. 37 | 38 | #### Example using environment variables 39 | 40 | Environment variable names are the same as documented for AWS CLI and SDK's. 41 | 42 | ```shell 43 | export AWS_ACCESS_KEY_ID=MYACCESSKEY 44 | export AWS_SECRET_ACCESS_KEY=THISISSECRET 45 | export AWS_SESSION_TOKEN=THISISWHERETHESUPERLONGTOKENGOES 46 | ``` 47 | 48 | ```python 49 | import requests 50 | from requests_auth_aws_sigv4 import AWSSigV4 51 | 52 | aws_auth = AWSSigV4('ec2') # If not provided, check for AWS Credentials from Environment Variables 53 | 54 | r = requests.request('GET', 'https://ec2.us-east-1.amazonaws.com?Version=2016-11-15&Action=DescribeRegions', 55 | auth=aws_auth) 56 | print(r.text) 57 | ``` 58 | 59 | #### Example using parameters 60 | 61 | Passing credentials as parameters overrides all other possible sources. 62 | 63 | ```python 64 | import requests 65 | from requests_auth_aws_sigv4 import AWSSigV4 66 | 67 | aws_auth = AWSSigV4('ec2', 68 | aws_access_key_id=ACCESS_KEY, 69 | aws_secret_access_key=SECRET_KEY, 70 | aws_session_token=SESSION_TOKEN, 71 | ) 72 | 73 | r = requests.request('GET', 'https://ec2.us-east-1.amazonaws.com?Version=2016-11-15&Action=DescribeRegions', 74 | auth=aws_auth) 75 | print(r.text) 76 | ``` 77 | 78 | ### Usage with Elasticsearch Client (elasticsearch-py) 79 | 80 | ```python 81 | from elasticsearch import Elasticsearch, RequestsHttpConnection 82 | from requests_auth_aws_sigv4 import AWSSigV4 83 | 84 | es_host = 'search-service-foobar.us-east-1.es.amazonaws.com' 85 | aws_auth = AWSSigV4('es') 86 | 87 | # use the requests connection_class and pass in our custom auth class 88 | es_client = Elasticsearch(host=es_host, 89 | port=80, 90 | connection_class=RequestsHttpConnection, 91 | http_auth=aws_auth) 92 | es_client.info() 93 | ``` 94 | 95 | ### Debug Logging 96 | 97 | All log messages are at the module level. 98 | 99 | ```python 100 | import logging 101 | logging.basicConfig() # Setup basic logging to stdout 102 | log = logging.getLogger('requests_auth_aws_sigv4') 103 | log.setLevel(logging.DEBUG) 104 | ``` 105 | 106 | ## Command Line Usage 107 | 108 | The module can be run from the command line in a way that is similar to how cURL works. 109 | 110 | ```shell 111 | $ python3 -m requests_auth_aws_sigv4 https://sampleapi.execute-api.us-east-1.amazonaws.com/test/ -v 112 | > GET /test/ HTTP/1.1 113 | > Host: sampleapi.execute-api.us-east-1.amazonaws.com 114 | > User-Agent: python-requests/2.23.0 auth-aws-sigv4/0.2 115 | > Accept-Encoding: gzip, deflate 116 | > Accept: */* 117 | > Connection: keep-alive 118 | > X-AMZ-Date: 20200513T180549Z 119 | > Authorization: AWS4-HMAC-SHA256 Credential=AKIASAMPLEKEYID/20200513/us-east-1/execute-api/aws4_request, SignedHeaders=host;x-amz-date, Signature=EXAMPLESIGNATUREISHERE 120 | > 121 | < HTTP/1.1 200 OK 122 | < Connection: keep-alive 123 | < Content-Length: 25 124 | < Content-Type: application/json 125 | < Date: Wed, 13 May 2020 18:05:49 GMT 126 | < Server: Server 127 | < x-amz-apigw-id: MeExampleiMFs99= 128 | < x-amzn-RequestId: 7example-7b7b-4343-9a9a-9bbexampleaf 129 | hello 130 | ``` 131 | 132 | ## Temporary Security Credentials 133 | 134 | Credentials issued from [AWS STS](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) 135 | to grant temporary access can be used normally. Set the token by passing the `aws_session_token` parameter, 136 | setting the `AWS_SESSION_TOKEN` environment variable, or configure the credential for boto3 as normal. 137 | 138 | ## Using boto3 (or botocore) for AWS Credentials 139 | 140 | The packages **boto3** and **botocore** are not requirements to use this module. 141 | As mentioned above, if **boto3** is available, a boto3.Session will be created to attempt to get credentials 142 | and configure the default region. This will happen automatically if credentials are not provided as parameters. 143 | 144 | -------------------------------------------------------------------------------- /requests_auth_aws_sigv4/__init__.py: -------------------------------------------------------------------------------- 1 | #!/bin/env python3 2 | from __future__ import print_function 3 | 4 | import hashlib 5 | import hmac 6 | import logging 7 | import os 8 | import urllib.parse 9 | from datetime import datetime 10 | 11 | from requests import __version__ as requests_version 12 | from requests.auth import AuthBase 13 | from requests.compat import urlparse 14 | from requests.models import PreparedRequest 15 | 16 | try: 17 | import boto3 18 | except ImportError: 19 | boto3 = None 20 | 21 | __version__ = '0.8' 22 | 23 | log = logging.getLogger(__name__) 24 | 25 | 26 | def sign_msg(key, msg): 27 | """ Sign message using key """ 28 | return hmac.new(key, msg.encode('utf-8'), hashlib.sha256).digest() 29 | 30 | 31 | class AWSSigV4(AuthBase): 32 | 33 | def __init__(self, service, **kwargs): 34 | """ Create authentication mechanism 35 | 36 | :param service: AWS Service identifier, for example `ec2`. This is required. 37 | :param region: AWS Region, for example `us-east-1`. If not provided, it will be set using 38 | the environment variables `AWS_DEFAULT_REGION` or using boto3, if available. 39 | :param session: If boto3 is available, will attempt to get credentials using boto3, 40 | unless passed explicitly. If using boto3, the provided session will be used or a new 41 | session will be created. 42 | :param bool payload_signing_enabled: Boolean indicating if the payload should be signed or not. 43 | 44 | """ 45 | # Set Service 46 | self.service = service 47 | 48 | # First, get credentials passed explicitly 49 | self.aws_access_key_id = kwargs.get('aws_access_key_id') 50 | self.aws_secret_access_key = kwargs.get('aws_secret_access_key') 51 | self.aws_session_token = kwargs.get('aws_session_token') 52 | # Next, try environment variables or use boto3 53 | if self.aws_access_key_id is None or self.aws_secret_access_key is None: 54 | if boto3 is not None: 55 | # Setup Session 56 | if 'session' in kwargs: 57 | if type(kwargs['session']) == boto3.Session: 58 | session = kwargs['session'] 59 | else: 60 | raise ValueError("Session must be boto3.Session, {} invalid, ".format(type(kwargs['session']))) 61 | else: 62 | session = boto3.Session() 63 | log.debug("Using boto3 session: %s", session) 64 | cred = session.get_credentials() 65 | log.debug("Got credential from boto3 session") 66 | self.aws_access_key_id = cred.access_key 67 | self.aws_secret_access_key = cred.secret_key 68 | self.aws_session_token = cred.token 69 | self.region = session.region_name 70 | log.debug("Got region from boto3 session") 71 | else: 72 | log.debug("Checking environment for credentials") 73 | self.aws_access_key_id = os.environ.get('AWS_ACCESS_KEY_ID') 74 | self.aws_secret_access_key = os.environ.get('AWS_SECRET_ACCESS_KEY') 75 | self.aws_session_token = os.environ.get('AWS_SESSION_TOKEN') or os.environ.get('AWS_SECURITY_TOKEN') 76 | # Last, fail if still not found 77 | if self.aws_access_key_id is None or self.aws_secret_access_key is None: 78 | raise KeyError("AWS Access Key ID and Secret Access Key are required") 79 | 80 | # Get Region passed explicitly 81 | self.region = kwargs.get('region') 82 | # Next, try environment variables or use boto3 83 | if self.region is None: 84 | log.debug("Checking environment for region") 85 | self.region = os.environ.get('AWS_DEFAULT_REGION') or os.environ.get('AWS_REGION') 86 | # Last, fail if not found 87 | if self.region is None: 88 | raise KeyError("Region is required") 89 | 90 | # Should we sign the payload or not 91 | self.payload_signing_enabled = kwargs.get('payload_signing_enabled', True) 92 | 93 | def __call__(self, r: PreparedRequest) -> PreparedRequest: 94 | """ Called to add authentication information to request 95 | 96 | :param r: `requests.models.PreparedRequest` object to modify 97 | 98 | :returns: `requests.models.PreparedRequest`, modified to add authentication 99 | 100 | """ 101 | # Create a date for headers and the credential string 102 | t = datetime.utcnow() 103 | amzdate = t.strftime('%Y%m%dT%H%M%SZ') 104 | datestamp = t.strftime('%Y%m%d') 105 | log.debug("Starting authentication with amzdate=%s", amzdate) 106 | 107 | # Parse request to get URL parts 108 | url_parts = urlparse(r.url) 109 | log.debug("Request URL: %s", url_parts) 110 | host = url_parts.hostname 111 | if self.service == 's3': 112 | uri = url_parts.path 113 | else: 114 | uri_segments = [] 115 | for segment in url_parts.path.split('/'): 116 | uri_segments.append(urllib.parse.quote(segment, safe='')) 117 | uri = '/'.join(uri_segments) 118 | if len(url_parts.query) > 0: 119 | qs = dict(map(lambda i: i.split('='), url_parts.query.split('&'))) 120 | else: 121 | qs = dict() 122 | 123 | # Setup Headers 124 | # r.headers is type `requests.structures.CaseInsensitiveDict` 125 | if 'Host' not in r.headers: 126 | r.headers['Host'] = host 127 | if 'Content-Type' not in r.headers: 128 | r.headers['Content-Type'] = 'application/x-www-form-urlencoded; charset=utf-8; application/json' 129 | if 'User-Agent' not in r.headers: 130 | r.headers['User-Agent'] = 'python-requests/{} auth-aws-sigv4/{}'.format( 131 | requests_version, __version__) 132 | r.headers['X-AMZ-Date'] = amzdate 133 | if self.aws_session_token is not None: 134 | r.headers['x-amz-security-token'] = self.aws_session_token 135 | 136 | # Task 1: Create Canonical Request 137 | # Ref: http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html 138 | # Query string values must be URL-encoded (space=%20) and be sorted by name. 139 | canonical_querystring = "&".join(map(lambda p: "=".join(p), sorted(qs.items()))) 140 | 141 | # Create payload hash (hash of the request body content). 142 | if not self.payload_signing_enabled: 143 | payload_hash = 'UNSIGNED-PAYLOAD' 144 | elif r.method == 'GET' and not r.body: 145 | payload_hash = hashlib.sha256(''.encode('utf-8')).hexdigest() 146 | else: 147 | if r.body: 148 | if isinstance(r.body, bytes): 149 | log.debug("Request Body: %s", r.body) 150 | payload_hash = hashlib.sha256(r.body).hexdigest() 151 | else: 152 | log.debug("Request Body: %s", r.body) 153 | payload_hash = hashlib.sha256(r.body.encode('utf-8')).hexdigest() 154 | else: 155 | log.debug("Request Body is empty") 156 | payload_hash = hashlib.sha256(b'').hexdigest() 157 | r.headers['x-amz-content-sha256'] = payload_hash 158 | 159 | # Create the canonical headers and signed headers. Header names 160 | # must be trimmed and lowercase, and sorted in code point order from 161 | # low to high. Note that there is a trailing \n. 162 | headers_to_sign = sorted(filter(lambda h: h.startswith('x-amz-') or h == 'host', 163 | map(lambda h_key: h_key.lower(), r.headers.keys()))) 164 | canonical_headers = ''.join(map(lambda h: ":".join((h, r.headers[h])) + '\n', headers_to_sign)) 165 | signed_headers = ';'.join(headers_to_sign) 166 | 167 | # Combine elements to create canonical request 168 | canonical_request = '\n'.join([r.method, uri, canonical_querystring, 169 | canonical_headers, signed_headers, payload_hash]) 170 | log.debug("Canonical Request: '%s'", canonical_request) 171 | 172 | # Task 2: Create string to sign 173 | credential_scope = '/'.join([datestamp, self.region, self.service, 'aws4_request']) 174 | string_to_sign = '\n'.join(['AWS4-HMAC-SHA256', amzdate, 175 | credential_scope, hashlib.sha256(canonical_request.encode('utf-8')).hexdigest()]) 176 | log.debug("String-to-Sign: '%s'", string_to_sign) 177 | 178 | # Task 3: Calculate Signature 179 | k_date = sign_msg(('AWS4' + self.aws_secret_access_key).encode('utf-8'), datestamp) 180 | k_region = sign_msg(k_date, self.region) 181 | k_service = sign_msg(k_region, self.service) 182 | k_signing = sign_msg(k_service, 'aws4_request') 183 | signature = hmac.new(k_signing, string_to_sign.encode('utf-8'), hashlib.sha256).hexdigest() 184 | log.debug("Signature: %s", signature) 185 | 186 | # Task 4: Add signing information to request 187 | r.headers['Authorization'] = "AWS4-HMAC-SHA256 Credential={}/{}, SignedHeaders={}, Signature={}".format( 188 | self.aws_access_key_id, credential_scope, signed_headers, signature) 189 | log.debug("Returning Request: {} {} HTTP/{}".format(r.request.method, request_url.path, (r.raw.version / 10.0)), 99 | file=sys.stderr) 100 | req_headers = r.request.headers.copy() 101 | if 'Host' in req_headers: # Make sure Host header is first, if it exists 102 | print("> Host:", req_headers.pop('Host'), file=sys.stderr) 103 | for key, value in req_headers.items(): 104 | print("> {}: {}".format(key, value), file=sys.stderr) 105 | print(">", file=sys.stderr) # Blank line at end of request headers 106 | for resp_line in parse_response_headers(r): 107 | print("<", resp_line, file=sys.stderr) # Each response header 108 | if args.include: 109 | for resp_line in parse_response_headers(r): 110 | print(resp_line) 111 | print() # Blank line to separate headers from data 112 | try: 113 | json_data = r.json() 114 | if len(json_data) <= 1: # If only one item, print its value 115 | print("".join(json_data.values())) 116 | else: 117 | print(json_data) 118 | except ValueError: 119 | print(r.text) 120 | 121 | 122 | if __name__ == "__main__": 123 | run() 124 | -------------------------------------------------------------------------------- /setup.cfg: -------------------------------------------------------------------------------- 1 | [tool:pytest] 2 | testpaths = tests 3 | 4 | [coverage:run] 5 | branch = True 6 | source = 7 | requests_auth_aws_sigv4 8 | -------------------------------------------------------------------------------- /setup.py: -------------------------------------------------------------------------------- 1 | import setuptools 2 | 3 | from requests_auth_aws_sigv4 import __version__ 4 | 5 | with open("README.md", "r") as f: 6 | long_desc = f.read() 7 | 8 | setuptools.setup( 9 | name="requests-auth-aws-sigv4", 10 | version=__version__, 11 | author="Andrew Roth", 12 | author_email="andrew@andrewjroth.com", 13 | description="AWS SigV4 Authentication with the python requests module", 14 | long_description=long_desc, 15 | long_description_content_type="text/markdown", 16 | url="https://github.com/andrewjroth/requests-auth-aws-sigv4", 17 | packages=['requests_auth_aws_sigv4'], 18 | install_requires=['requests'], 19 | classifiers=[ 20 | "Development Status :: 4 - Beta", 21 | "Intended Audience :: Developers", 22 | "License :: OSI Approved :: Apache Software License", 23 | "Natural Language :: English", 24 | "Programming Language :: Python :: 2.7", 25 | "Programming Language :: Python :: 3", 26 | ], 27 | python_requires=">=2.7, >=3.6", 28 | ) 29 | -------------------------------------------------------------------------------- /tests/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/andrewjroth/requests-auth-aws-sigv4/bf46a91a2ce4a7ffeb4038694412bc514731603f/tests/__init__.py -------------------------------------------------------------------------------- /tests/conftest.py: -------------------------------------------------------------------------------- 1 | from datetime import datetime 2 | from unittest.mock import patch 3 | 4 | import pytest 5 | from mockito import unstub 6 | 7 | 8 | @pytest.fixture(autouse=True) 9 | def log(caplog, pytestconfig): 10 | if pytestconfig.getoption("verbose") > 0: 11 | caplog.set_level('DEBUG') 12 | else: 13 | caplog.set_level('INFO') 14 | 15 | 16 | @pytest.fixture 17 | def frozentime(): 18 | dt = datetime(2022, 1, 1, 12, 34) 19 | with patch('requests_auth_aws_sigv4.datetime') as mock_datetime: 20 | mock_datetime.utcnow.return_value = dt 21 | yield dt 22 | 23 | -------------------------------------------------------------------------------- /tests/requirements.txt: -------------------------------------------------------------------------------- 1 | pytest 2 | mockito 3 | requests 4 | -------------------------------------------------------------------------------- /tests/test_init.py: -------------------------------------------------------------------------------- 1 | import urllib.parse 2 | 3 | import pytest 4 | from requests.models import Request 5 | from mockito import when, spy2, unstub 6 | 7 | import requests_auth_aws_sigv4 8 | 9 | 10 | def test_sign_msg(): 11 | result = b'-\x93\xcb\xc1\xbe\x16{\xcb\x167\xa4\xa2<\xbf\xf0\x1axx\xf0\xc5\x0e\xe83\x95N\xa5"\x1b\xb1\xb8\xc6(' 12 | assert requests_auth_aws_sigv4.sign_msg(b'key', 'msg') == result 13 | 14 | 15 | def test_init_provided(): 16 | """ Test for provided credentials and region """ 17 | aws_auth = requests_auth_aws_sigv4.AWSSigV4('test', region='test-region-1', 18 | aws_access_key_id="key_id", 19 | aws_secret_access_key="secret_key") 20 | assert aws_auth.aws_access_key_id == "key_id" 21 | assert aws_auth.aws_secret_access_key == "secret_key" 22 | assert aws_auth.aws_session_token is None 23 | assert aws_auth.region == "test-region-1" 24 | 25 | 26 | def test_init_environment(): 27 | """ Test for credentials and region from environment """ 28 | spy2(requests_auth_aws_sigv4.os.environ.get) 29 | when(requests_auth_aws_sigv4.os.environ).get('AWS_ACCESS_KEY_ID').thenReturn("key_id") 30 | when(requests_auth_aws_sigv4.os.environ).get('AWS_SECRET_ACCESS_KEY').thenReturn("secret_key") 31 | when(requests_auth_aws_sigv4.os.environ).get('AWS_DEFAULT_REGION').thenReturn("test-region-1") 32 | aws_auth = requests_auth_aws_sigv4.AWSSigV4('test') 33 | assert aws_auth.aws_access_key_id == "key_id" 34 | assert aws_auth.aws_secret_access_key == "secret_key" 35 | assert aws_auth.aws_session_token is None 36 | assert aws_auth.region == "test-region-1" 37 | unstub() 38 | 39 | 40 | def test_init_provided_with_session(): 41 | """ Test for provided credentials and region """ 42 | aws_auth = requests_auth_aws_sigv4.AWSSigV4('test', region='test-region-1', 43 | aws_access_key_id="key_id", 44 | aws_secret_access_key="secret_key", 45 | aws_session_token="token") 46 | assert aws_auth.aws_access_key_id == "key_id" 47 | assert aws_auth.aws_secret_access_key == "secret_key" 48 | assert aws_auth.aws_session_token == "token" 49 | assert aws_auth.region == "test-region-1" 50 | 51 | 52 | def test_init_environment_with_session(): 53 | """ Test for credentials and region from environment """ 54 | spy2(requests_auth_aws_sigv4.os.environ.get) 55 | when(requests_auth_aws_sigv4.os.environ).get('AWS_ACCESS_KEY_ID').thenReturn("key_id") 56 | when(requests_auth_aws_sigv4.os.environ).get('AWS_SECRET_ACCESS_KEY').thenReturn("secret_key") 57 | when(requests_auth_aws_sigv4.os.environ).get('AWS_SESSION_TOKEN').thenReturn("token") 58 | when(requests_auth_aws_sigv4.os.environ).get('AWS_DEFAULT_REGION').thenReturn("test-region-1") 59 | aws_auth = requests_auth_aws_sigv4.AWSSigV4('test') 60 | assert aws_auth.aws_access_key_id == "key_id" 61 | assert aws_auth.aws_secret_access_key == "secret_key" 62 | assert aws_auth.aws_session_token == "token" 63 | assert aws_auth.region == "test-region-1" 64 | unstub() 65 | 66 | 67 | def test_init_no_keys(): 68 | """ Test for provided credentials and region """ 69 | with pytest.raises(KeyError): 70 | aws_auth = requests_auth_aws_sigv4.AWSSigV4('test', region='test-region-1') 71 | 72 | 73 | def test_init_no_region(): 74 | """ Test for provided credentials and region """ 75 | with pytest.raises(KeyError): 76 | aws_auth = requests_auth_aws_sigv4.AWSSigV4('test', aws_access_key_id="key_id", 77 | aws_secret_access_key="secret_key") 78 | 79 | 80 | def test_call_simple(frozentime): 81 | aws_auth = requests_auth_aws_sigv4.AWSSigV4('test', region='test-region-1', 82 | aws_access_key_id="key_id", 83 | aws_secret_access_key="secret_key", 84 | aws_session_token="token") 85 | req = Request('GET', "https://testhost/action?param=value") 86 | result = aws_auth(req.prepare()) 87 | assert 'Authorization' in result.headers 88 | assert result.headers['Authorization'] == ", ".join([ 89 | f"AWS4-HMAC-SHA256 Credential=key_id/{frozentime:%Y%m%d}/test-region-1/test/aws4_request", 90 | f"SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security-token", 91 | f"Signature=817adf89563cdf0728f4e684c9ac9ead2cca25c4610e9bb3ddfebe8665ea72f2" 92 | ]) 93 | assert result.headers['Host'] == "testhost" 94 | assert result.headers['Content-Type'] == "application/x-www-form-urlencoded; charset=utf-8; application/json" 95 | assert result.headers['User-Agent'] == 'python-requests/{} auth-aws-sigv4/{}'.format( 96 | requests_auth_aws_sigv4.requests_version, requests_auth_aws_sigv4.__version__) 97 | assert result.headers['X-AMZ-Date'] == frozentime.strftime('%Y%m%dT%H%M%SZ') 98 | assert result.headers['x-amz-security-token'] == "token" 99 | assert result.headers['x-amz-content-sha256'] == "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" 100 | 101 | 102 | def test_call_no_payload_signing(frozentime): 103 | aws_auth = requests_auth_aws_sigv4.AWSSigV4('test', region='test-region-1', 104 | aws_access_key_id="key_id", 105 | aws_secret_access_key="secret_key", 106 | aws_session_token="token", 107 | payload_signing_enabled=False, 108 | ) 109 | req = Request('GET', "https://testhost/action?param=value") 110 | result = aws_auth(req.prepare()) 111 | assert 'Authorization' in result.headers 112 | assert result.headers['Authorization'] == ", ".join([ 113 | f"AWS4-HMAC-SHA256 Credential=key_id/{frozentime:%Y%m%d}/test-region-1/test/aws4_request", 114 | f"SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security-token", 115 | f"Signature=a5e20a7d27d57597b3776e04f087343407397fe2418e40cf85ffab051dd2cf1d" 116 | ]) 117 | assert result.headers['x-amz-content-sha256'] == "UNSIGNED-PAYLOAD" 118 | 119 | 120 | def test_uri_double_encoded_segment(frozentime): 121 | aws_auth = requests_auth_aws_sigv4.AWSSigV4('test', region='test-region-1', 122 | aws_access_key_id="key_id", 123 | aws_secret_access_key="secret_key", 124 | aws_session_token="token") 125 | segment = urllib.parse.quote('123 / abc', safe='') 126 | req = Request('GET', f'https://testhost/action/{segment}?param=value') 127 | result = aws_auth(req.prepare()) 128 | assert 'Authorization' in result.headers 129 | assert result.headers['Authorization'] == ", ".join([ 130 | f"AWS4-HMAC-SHA256 Credential=key_id/{frozentime:%Y%m%d}/test-region-1/test/aws4_request", 131 | f"SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security-token", 132 | f"Signature=89a91408e96df9231d23bc51aa31916f1f72db68d6e96ba633c6652ba86fe2cd" 133 | ]) 134 | assert result.headers['Host'] == "testhost" 135 | assert result.headers['Content-Type'] == "application/x-www-form-urlencoded; charset=utf-8; application/json" 136 | assert result.headers['User-Agent'] == 'python-requests/{} auth-aws-sigv4/{}'.format( 137 | requests_auth_aws_sigv4.requests_version, requests_auth_aws_sigv4.__version__) 138 | assert result.headers['X-AMZ-Date'] == frozentime.strftime('%Y%m%dT%H%M%SZ') 139 | assert result.headers['x-amz-security-token'] == "token" 140 | assert result.headers['x-amz-content-sha256'] == "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" 141 | -------------------------------------------------------------------------------- /tests/test_main.py: -------------------------------------------------------------------------------- 1 | import pytest 2 | import requests 3 | from mockito import mock, when, verify, unstub 4 | 5 | from requests_auth_aws_sigv4 import __main__ as main 6 | 7 | 8 | def test_parse_response_headers(): 9 | response = mock({ 10 | 'raw': mock({'version': 11}), # HTTP/1.1 11 | 'status_code': 200, 12 | 'reason': "OK", 13 | 'headers': { 14 | 'Alpha': "One", 15 | 'Charlie': "Three", 16 | 'Beta': "Two", 17 | } 18 | }, spec=requests.Response) 19 | result = list(main.parse_response_headers(response)) 20 | assert result[0] == 'HTTP/1.1 200 OK' 21 | assert result[1] == 'Alpha: One' 22 | assert result[2] == 'Beta: Two' 23 | assert result[3] == 'Charlie: Three' 24 | 25 | 26 | @pytest.fixture 27 | def mock_auth(): 28 | def _make(method, url, json_data=None, text_data=None): 29 | mock_request = mock({ 30 | 'url': url, 31 | 'method': method, 32 | 'headers': {} 33 | }, spec=requests.PreparedRequest) 34 | 35 | def _json(): 36 | if json_data is not None: 37 | return json_data 38 | raise ValueError 39 | mock_response = mock({ 40 | 'request': mock_request, 41 | 'raw': mock({'version': 11}), # HTTP/1.1 42 | 'status_code': 200, 43 | 'reason': "OK", 44 | 'headers': {}, 45 | 'json': _json, 46 | 'text': text_data 47 | }, spec=requests.Response) 48 | mock_AWSSigV4 = mock(main.AWSSigV4) 49 | when(mock_AWSSigV4).__call__(mock_request).thenReturn(mock_request) 50 | when(main).AWSSigV4("service", region="tt-region-1", payload_signing_enabled=True).thenReturn(mock_AWSSigV4) 51 | when(requests).request(...).thenReturn(mock_response) 52 | return mock_response 53 | yield _make 54 | unstub() 55 | 56 | 57 | def test_run(capfd, mock_auth): 58 | url = "https://service.tt-region-1.example.com/path?query=string" 59 | mock_resp = mock_auth("GET", url, {"result": "data"}) 60 | main.run([url]) 61 | verify(mock_resp).json() 62 | captured = capfd.readouterr() 63 | assert captured.out == "data\n" 64 | 65 | 66 | def test_run_include_headers(capfd, mock_auth): 67 | url = "https://service.tt-region-1.example.com/path?query=string" 68 | mock_resp = mock_auth("GET", url, {"result": "data"}) 69 | main.run(["-i", url]) 70 | verify(mock_resp).json() 71 | captured = capfd.readouterr() 72 | assert captured.out.splitlines() == ["HTTP/1.1 200 OK", "", "data"] 73 | 74 | 75 | def test_run_verbose(capfd, mock_auth): 76 | url = "https://service.tt-region-1.example.com/path?query=string" 77 | mock_resp = mock_auth("GET", url, {"result": "data"}) 78 | main.run(["-v", url]) 79 | verify(mock_resp).json() 80 | captured = capfd.readouterr() 81 | assert captured.err.splitlines() == ["> GET /path HTTP/1.1", ">", "< HTTP/1.1 200 OK"] 82 | assert captured.out == "data\n" 83 | --------------------------------------------------------------------------------