abstract class AWS::Signer

Overview

A Signer can sign a HTTP request using AWS4-HMAC-SHA256 as outlined by: https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html Signers are generally only used once, and they are scoped to the region (for v4), AWS service, AWS credentials, and a point in time. Signers come in 2 flavours: v4 (for region-specific requests) and v4a (for requests to MRAPs. They differ in the cryptography used.

| | v4 | v4a | | :----------- | :---------------- | :----------------- | | Cryptography | Symmetric (HMAC) | Asymmetric (ECDSA) | | Region | e.g. eu-west-1 | * |

You may use AWS::Signer::V4 or AWS::Signer::V4a directly, or allow AWS::Signer#new to choose based on the arguments, or allow AWS::Signer::sign!(Request) to decide based on the request (simplest). Note that by using a properly implemented AWS::Service in this library, you shouldn't need to worry about the signatures at all.

require "http"
require "aws/signer"

region = ENV.fetch("AWS_REGION", "eu-west-1")
access_key_id = ENV["AWS_ACCESS_KEY_ID"]
secret_access_key = ENV["AWS_SECRET_ACCESS_KEY"]
v4 = AWS::Signer.new(region, access_key_id, secret_access_key)
client = HTTP::Client.new { |request| v4.sign!(request) }
response = client.get("https://iam.amazonaws.com?Action=GetUser&UserName=test&Version=2010-05-08")
# Check the response status...
# Parse the response body...

Direct Known Subclasses

Defined in:

aws/signer.cr

Constructors

Instance Method Summary

Constructor Detail

def self.new(region : String, service : String, creds : Credentials, time : Time = Time.utc) #

Creates a new AWS V4 signer for the given region and service with the given credentials, valid at the given time.


[View source]
def self.new(region, service, key, secret, token = nil, time = Time.utc) #

Creates a new AWS V4 signer for the given region and service with the given AWS AccessKeyId and SecretAccessKey, valid at the given time.


[View source]

Instance Method Detail

def sign(payload : String) : String #

Gets a signature for the given payload, as per


[View source]
def sign(request : HTTP::Request) : String #

Gets a signature for a payload extracted from the given request, as per docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html


[View source]
def sign!(request : HTTP::Request) #

Signs the given request - if it's a GET request, then it will add the signature as a query parameter; if it's a POST request, it will add the signature to the Authorization header.


[View source]