aws4

What is aws4?

The aws4 npm package is a library that signs and prepares requests using AWS Signature Version 4. It is used to authenticate and send requests to AWS services that require signing, such as S3, EC2, SES, and others. It can be used both on the server side with Node.js and on the client side in browsers.

What are aws4's main functionalities?

Signing HTTP requests

This feature allows you to sign an HTTP request with AWS Signature Version 4. The code sample demonstrates how to sign a GET request to an AWS service.

{"http": "require('http'), "aws4": "require('aws4'), "opts": { "host": "example.amazonaws.com", "path": "/path/to/resource", "method": "GET" }, "signedOpts": "aws4.sign(opts, { accessKeyId: 'YOURKEY', secretAccessKey: 'YOURSECRET' })", "request": "http.request(signedOpts, function(response) { /* handle response */ })"}

Signing requests for AWS Elasticsearch

This feature is used to sign requests to AWS Elasticsearch service. The code sample shows how to sign a GET request to perform a search operation on an Elasticsearch index.

{"aws4": "require('aws4'), "https": "require('https'), "opts": { "host": "search-your-domain.region.es.amazonaws.com", "path": "/your-index/_search", "method": "GET" }, "signedOpts": "aws4.sign(opts, { accessKeyId: 'YOURKEY', secretAccessKey: 'YOURSECRET' })", "request": "https.request(signedOpts, function(response) { /* handle response */ })"}

Signing requests for AWS S3

This feature is used to sign requests to AWS S3 service. The code sample illustrates how to sign a GET request to retrieve an object from an S3 bucket.

{"aws4": "require('aws4'), "https": "require('https'), "opts": { "host": "s3.amazonaws.com", "path": "/bucket/key", "method": "GET" }, "signedOpts": "aws4.sign(opts, { accessKeyId: 'YOURKEY', secretAccessKey: 'YOURSECRET' })", "request": "https.request(signedOpts, function(response) { /* handle response */ })"}

Other packages similar to aws4

aws-sdk

The AWS SDK for JavaScript is a comprehensive library for working with AWS services. It provides a higher-level abstraction over the AWS API compared to aws4. It includes automatic signing of requests, handling of retries, and direct methods for calling AWS services.

aws-signature-v4

This package is specifically designed to create AWS Signature Version 4 signed requests. It is similar to aws4 but may have different API design or additional features for signing requests.

aws-request-signer

This is another package for signing AWS requests with Signature Version 4. It offers functionality similar to aws4 but might have variations in its API or additional utilities for request signing.

README

aws4

A small utility to sign vanilla node.js http(s) request options using Amazon's AWS Signature Version 4.

This signature is supported by an increasing number of Amazon services, including SQS, SNS, IAM, STS, DynamoDB, RDS, CloudWatch, Glacier, CloudSearch, Elastic Load Balancing, CloudFormation, Elastic Beanstalk, Storage Gateway, Data Pipeline, Direct Connect, Redshift, OpsWorks, SES and AutoScaling.

It also provides defaults for a number of core AWS headers and request parameters, making it a very easy to query AWS services, or build out a fully-featured AWS library.

Example

var http  = require('http')
  , https = require('https')
  , aws4  = require('aws4')

// given an options object you could pass to http.request
var opts = { host: 'sqs.us-east-1.amazonaws.com', path: '/?Action=ListQueues' }

aws4.sign(opts) // assumes AWS credentials are available in process.env

console.log(opts)
/*
{
  host: 'sqs.us-east-1.amazonaws.com',
  path: '/?Action=ListQueues',
  headers: {
    Host: 'sqs.us-east-1.amazonaws.com',
    'X-Amz-Date': '20121226T061030Z',
    Authorization: 'AWS4-HMAC-SHA256 Credential=ABCDEF/20121226/us-east-1/sqs/aws4_request, ...'
  }
}
*/

// we can now use this to query AWS using the standard node.js http API
http.request(opts, function(res) { res.pipe(process.stdout) }).end()
/*
<?xml version="1.0"?>
<ListQueuesResponse xmlns="http://queue.amazonaws.com/doc/2012-11-05/">
...
*/

More options

// you can pass AWS credentials in explicitly
aws4.sign(opts, { accessKeyId: '', secretAccessKey: '' })

// aws4 can infer the host from a service and region
opts = aws4.sign({ service: 'sqs', region: 'us-east-1', path: '/?Action=ListQueues' })

// create a utility function to pipe to stdout (with https this time)
function request(o) { https.request(o, function(res) { res.pipe(process.stdout) }).end(o.body || '') }

// aws4 can infer the HTTP method if a body is passed in
// method will be POST and Content-Type: 'application/x-www-form-urlencoded; charset=utf-8'
request(aws4.sign({ service: 'iam', body: 'Action=ListGroups&Version=2010-05-08' }))
/*
<ListGroupsResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">
...
*/

// can specify any custom option or header as per usual
request(aws4.sign({
  service: 'dynamodb',
  region: 'ap-southeast-2',
  method: 'POST',
  path: '/',
  headers: {
    'Content-Type': 'application/x-amz-json-1.0',
    'X-Amz-Target': 'DynamoDB_20111205.ListTables'
  },
  body: '{}'
}))
/*
{"TableNames":[]}
...
*/

// works with all other services that support Signature Version 4

request(aws4.sign({ service: 'sns', path: '/?Action=ListTopics' }))
/*
<ListTopicsResponse xmlns="http://sns.amazonaws.com/doc/2010-03-31/">
...
*/

request(aws4.sign({ service: 'sts', path: '/?Action=GetSessionToken&Version=2011-06-15' }))
/*
<GetSessionTokenResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
...
*/

request(aws4.sign({ service: 'glacier', path: '/-/vaults', headers: { 'X-Amz-Glacier-Version': '2012-06-01' } }))
/*
{"Marker":null,"VaultList":[]}
...
*/

request(aws4.sign({ service: 'cloudsearch', path: '/?Action=DescribeDomains' }))
/*
<DescribeDomainsResponse xmlns="http://cloudsearch.amazonaws.com/doc/2011-02-01">
...
*/

request(aws4.sign({ service: 'ses', path: '/?Action=ListIdentities' }))
/*
<ListIdentitiesResponse xmlns="http://ses.amazonaws.com/doc/2010-12-01/">
...
*/

request(aws4.sign({ service: 'autoscaling', path: '/?Action=DescribeAutoScalingInstances&Version=2011-01-01' }))
/*
<DescribeAutoScalingInstancesResponse xmlns="http://autoscaling.amazonaws.com/doc/2011-01-01/">
...
*/

request(aws4.sign({ service: 'elasticloadbalancing', path: '/?Action=DescribeLoadBalancers&Version=2012-06-01' }))
/*
<DescribeLoadBalancersResponse xmlns="http://elasticloadbalancing.amazonaws.com/doc/2012-06-01/">
...
*/

request(aws4.sign({ service: 'cloudformation', path: '/?Action=ListStacks&Version=2010-05-15' }))
/*
<ListStacksResponse xmlns="http://cloudformation.amazonaws.com/doc/2010-05-15/">
...
*/

request(aws4.sign({ service: 'elasticbeanstalk', path: '/?Action=ListAvailableSolutionStacks&Version=2010-12-01' }))
/*
<ListAvailableSolutionStacksResponse xmlns="http://elasticbeanstalk.amazonaws.com/docs/2010-12-01/">
...
*/

request(aws4.sign({ service: 'rds', path: '/?Action=DescribeDBInstances&Version=2012-09-17' }))
/*
<DescribeDBInstancesResponse xmlns="http://rds.amazonaws.com/doc/2012-09-17/">
...
*/

request(aws4.sign({ service: 'monitoring', path: '/?Action=ListMetrics&Version=2010-08-01' }))
/*
<ListMetricsResponse xmlns="http://monitoring.amazonaws.com/doc/2010-08-01/">
...
*/

request(aws4.sign({ service: 'redshift', path: '/?Action=DescribeClusters&Version=2012-12-01' }))
/*
<DescribeClustersResponse xmlns="http://redshift.amazonaws.com/doc/2012-12-01/">
...
*/

request(aws4.sign({ service: 'storagegateway', body: '{}', headers: {
  'Content-Type': 'application/x-amz-json-1.1',
  'X-Amz-Target': 'StorageGateway_20120630.ListGateways'
}}))
/*
{"Gateways":[]}
...
*/

request(aws4.sign({ service: 'datapipeline', body: '{}', headers: {
  'Content-Type': 'application/x-amz-json-1.1',
  'X-Amz-Target': 'DataPipeline.ListPipelines'
}}))
/*
{"hasMoreResults":false,"pipelineIdList":[]}
...
*/

request(aws4.sign({ service: 'directconnect', body: '{}', headers: {
  'Content-Type': 'application/x-amz-json-1.1',
  'X-Amz-Target': 'OvertureService.DescribeConnections'
}}))
/*
{"connections":[]}
...
*/

request(aws4.sign({ service: 'opsworks', body: '{}', headers: {
  'Content-Type': 'application/x-amz-json-1.1',
  'X-Amz-Target': 'OpsWorks_20130218.DescribeInstances'
}}))
/*
{"Instances":[]}
...
*/

API

aws4.sign(requestOptions, [credentials])

This calculates and populates the Authorization header of requestOptions, and any other necessary AWS headers and/or request options. Returns requestOptions as a convenience for chaining.

requestOptions is an object holding the same options that the node.js http.request function takes.

The following properties of requestOptions are used in the signing or populated if they don't already exist:

• hostname or host (will be determined from service and region if not given)
• method (will use 'GET' if not given or 'POST' if there is a body)
• path (will use '/' if not given)
• body (will use '' if not given)
• service (will be calculated from hostname or host if not given)
• region (will be calculated from hostname or host or use 'us-east-1' if not given)
• headers['Host'] (will use hostname or host or be calculated if not given)
• headers['Content-Type'] (will use 'application/x-www-form-urlencoded; charset=utf-8' if not given and there is a body)
• headers['Date'] (used to calculate the signature date if given, otherwise new Date is used)

Your AWS credentials (which can be found in your AWS console) can be specified in one of two ways:

• As the second argument, like this:

aws4.sign(requestOptions, {
  secretAccessKey: "<your-secret-access-key>",
  accessKeyId: "<your-access-key-id>"
})

• From process.env, such as this:

export AWS_SECRET_ACCESS_KEY="<your-secret-access-key>"
export AWS_ACCESS_KEY_ID="<your-access-key-id>"

(will also use AWS_ACCESS_KEY and AWS_SECRET_KEY if available)

Installation

With npm do:

npm install aws4

Thanks

Thanks to @jed for his dynamo-client lib where I first committed and subsequently extracted this code.

Also thanks to the official node.js AWS SDK for giving me a start on implementing the v4 signature.