• Stars
    star
    663
  • Rank 67,991 (Top 2 %)
  • Language
    JavaScript
  • License
    MIT License
  • Created almost 12 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Signs and prepares Node.js requests using AWS Signature Version 4

aws4

Build Status

A small utility to sign vanilla Node.js http(s) request options using Amazon's AWS Signature Version 4.

If you want to sign and send AWS requests in a browser, or an environment like Cloudflare Workers, then check out aws4fetch – otherwise you can also bundle this library for use in older browsers.

The only AWS service that doesn't support v4 as of 2020-05-22 is SimpleDB (it only supports AWS Signature Version 2).

It also provides defaults for a number of core AWS headers and request parameters, making it very easy to query AWS services, or build out a fully-featured AWS library.

Example

var https = require('https')
var aws4  = require('aws4')

// to illustrate usage, we'll create a utility function to request and pipe to stdout
function request(opts) { https.request(opts, function(res) { res.pipe(process.stdout) }).end(opts.body || '') }

// aws4 will sign an options object as you'd pass to http.request, with an AWS service and region
var opts = { host: 'my-bucket.s3.us-west-1.amazonaws.com', path: '/my-object', service: 's3', region: 'us-west-1' }

// aws4.sign() will sign and modify these options, ready to pass to http.request
aws4.sign(opts, { accessKeyId: '', secretAccessKey: '' })

// or it can get credentials from process.env.AWS_ACCESS_KEY_ID, etc
aws4.sign(opts)

// for most AWS services, aws4 can figure out the service and region if you pass a host
opts = { host: 'my-bucket.s3.us-west-1.amazonaws.com', path: '/my-object' }

// usually it will add/modify request headers, but you can also sign the query:
opts = { host: 'my-bucket.s3.amazonaws.com', path: '/?X-Amz-Expires=12345', signQuery: true }

// and for services with simple hosts, aws4 can infer the host from service and region:
opts = { service: 'sqs', region: 'us-east-1', path: '/?Action=ListQueues' }

// and if you're using us-east-1, it's the default:
opts = { service: 'sqs', path: '/?Action=ListQueues' }

aws4.sign(opts)
console.log(opts)
/*
{
  host: 'sqs.us-east-1.amazonaws.com',
  path: '/?Action=ListQueues',
  headers: {
    Host: 'sqs.us-east-1.amazonaws.com',
    'X-Amz-Date': '20121226T061030Z',
    Authorization: 'AWS4-HMAC-SHA256 Credential=ABCDEF/20121226/us-east-1/sqs/aws4_request, ...'
  }
}
*/

// we can now use this to query AWS
request(opts)
/*
<?xml version="1.0"?>
<ListQueuesResponse xmlns="https://queue.amazonaws.com/doc/2012-11-05/">
...
*/

// aws4 can infer the HTTP method if a body is passed in
// method will be POST and Content-Type: 'application/x-www-form-urlencoded; charset=utf-8'
request(aws4.sign({ service: 'iam', body: 'Action=ListGroups&Version=2010-05-08' }))
/*
<ListGroupsResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
...
*/

// you can specify any custom option or header as per usual
request(aws4.sign({
  service: 'dynamodb',
  region: 'ap-southeast-2',
  method: 'POST',
  path: '/',
  headers: {
    'Content-Type': 'application/x-amz-json-1.0',
    'X-Amz-Target': 'DynamoDB_20120810.ListTables'
  },
  body: '{}'
}))
/*
{"TableNames":[]}
...
*/

// you can also specify extra headers to ignore during signing
request(aws4.sign({
  host: '07tjusf2h91cunochc.us-east-1.aoss.amazonaws.com',
  method: 'PUT',
  path: '/my-index',
  body: '{"mappings":{}}',
  headers: {
    'Content-Type': 'application/json',
    'X-Amz-Content-Sha256': 'UNSIGNED-PAYLOAD'
  },
  extraHeadersToIgnore: {
    'content-length': true
  }
}))

// and headers to include that would normally be ignored
request(aws4.sign({
  service: 'mycustomservice',
  path: '/whatever',
  headers: {
    'Range': 'bytes=200-1000, 2000-6576, 19000-'
  },
  extraHeadersToInclude: {
    'range': true
  }
}))


// The raw RequestSigner can be used to generate CodeCommit Git passwords
var signer = new aws4.RequestSigner({
  service: 'codecommit',
  host: 'git-codecommit.us-east-1.amazonaws.com',
  method: 'GIT',
  path: '/v1/repos/MyAwesomeRepo',
})
var password = signer.getDateTime() + 'Z' + signer.signature()

// see example.js for examples with other services

API

aws4.sign(requestOptions, [credentials])

Calculates and populates any necessary AWS headers and/or request options on requestOptions. Returns requestOptions as a convenience for chaining.

requestOptions is an object holding the same options that the Node.js http.request function takes.

The following properties of requestOptions are used in the signing or populated if they don't already exist:

  • hostname or host (will try to be determined from service and region if not given)
  • method (will use 'GET' if not given or 'POST' if there is a body)
  • path (will use '/' if not given)
  • body (will use '' if not given)
  • service (will try to be calculated from hostname or host if not given)
  • region (will try to be calculated from hostname or host or use 'us-east-1' if not given)
  • signQuery (to sign the query instead of adding an Authorization header, defaults to false)
  • extraHeadersToIgnore (an object with lowercase header keys to ignore when signing, eg { 'content-length': true })
  • extraHeadersToInclude (an object with lowercase header keys to include when signing, overriding any ignores)
  • headers['Host'] (will use hostname or host or be calculated if not given)
  • headers['Content-Type'] (will use 'application/x-www-form-urlencoded; charset=utf-8' if not given and there is a body)
  • headers['Date'] (used to calculate the signature date if given, otherwise new Date is used)

Your AWS credentials (which can be found in your AWS console) can be specified in one of two ways:

  • As the second argument, like this:
aws4.sign(requestOptions, {
  secretAccessKey: "<your-secret-access-key>",
  accessKeyId: "<your-access-key-id>",
  sessionToken: "<your-session-token>"
})
  • From process.env, such as this:
export AWS_ACCESS_KEY_ID="<your-access-key-id>"
export AWS_SECRET_ACCESS_KEY="<your-secret-access-key>"
export AWS_SESSION_TOKEN="<your-session-token>"

(will also use AWS_ACCESS_KEY and AWS_SECRET_KEY if available)

The sessionToken property and AWS_SESSION_TOKEN environment variable are optional for signing with IAM STS temporary credentials.

Installation

With npm do:

npm install aws4

Can also be used in the browser.

Thanks

Thanks to @jed for his dynamo-client lib where I first committed and subsequently extracted this code.

Also thanks to the official Node.js AWS SDK for giving me a start on implementing the v4 signature.

More Repositories

1

alpine-node

Minimal Node.js Docker Images built on Alpine Linux
Dockerfile
2,452
star
2

react-server-example

A simple example of how to do server-side rendering with React (no compilation needed)
JavaScript
1,792
star
3

kinesalite

An implementation of Amazon's Kinesis built on LevelDB
JavaScript
796
star
4

aws4fetch

A compact AWS client for modern JS environments
JavaScript
405
star
5

react-server-routing-example

An example using universal client/server routing and data in React with AWS DynamoDB
JavaScript
299
star
6

simple-relay-starter

A very simple starter for React Relay using Browserify
JavaScript
156
star
7

kinesis

A Node.js stream implementation of Amazon's Kinesis
JavaScript
149
star
8

epipebomb

Ignore EPIPE errors when stdout runs through a truncated pipe (such as `head`) in Node.js
JavaScript
63
star
9

awscred

Node.js module to resolve AWS credentials/region using env, ini files and IAM roles
JavaScript
45
star
10

gelf-stream

A node.js stream to send JS objects to a Graylog2 server (in GELF format)
JavaScript
28
star
11

StringStream

Encode and decode streams into string streams in node.js
JavaScript
27
star
12

dynamo-table

A lightweight module to map JS objects and queries to DynamoDB tables
JavaScript
24
star
13

gelfling

Create and send GELF (Graylog2) messages in node.js, including chunking
JavaScript
8
star
14

awslogger

A CLI tool to send lines from stdin to AWS CloudWatch Logs
JavaScript
7
star
15

aws2

Signs and prepares node.js http(s) requests using AWS Signature Version 2
JavaScript
6
star
16

deep_learning_glossary

Simple, opinionated explanations of various things encountered in Deep Learning
6
star
17

pdf2png-demo

A demo of Container Image Support in AWS Lambda
Go
6
star
18

test-ci-project

Shell
2
star
19

aws3

Signs and prepares node.js http(s) requests using AWS Signature Version 3
JavaScript
1
star