Class: Google::Auth::ExternalAccount::AwsRequestSigner

Inherits:

Object

• Object
• Google::Auth::ExternalAccount::AwsRequestSigner

Defined in:

lib/googleauth/external_account/aws_credentials.rb

Overview

Implements an AWS request signer based on the AWS Signature Version 4 signing process. https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html

Instance Method Summary

• #generate_signed_request(aws_credentials, original_request) ⇒ hash{string => string}

  Generates the signed request for the provided HTTP request for calling an AWS API.

• #initialize(region_name) ⇒ AwsRequestSigner constructor

  Instantiates an AWS request signer used to compute authenticated signed requests to AWS APIs based on the AWS Signature Version 4 signing process.

Constructor Details

#initialize(region_name) ⇒ AwsRequestSigner

Instantiates an AWS request signer used to compute authenticated signed requests to AWS APIs based on the AWS Signature Version 4 signing process.

Parameters:

• region_name (string) —

  The AWS region to use.

# File 'lib/googleauth/external_account/aws_credentials.rb', line 219

def initialize region_name
  @region_name = region_name
end

Instance Method Details

#generate_signed_request(aws_credentials, original_request) ⇒ hash{string => string}

Generates the signed request for the provided HTTP request for calling an AWS API. This follows the steps described at: https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html

Parameters:

• aws_security_credentials (Hash[string, string]) —

  A dictionary containing the AWS security credentials.

• url (string) —

  The AWS service URL containing the canonical URI and query string.

• method (string) —

  The HTTP method used to call this API.

Returns:

• (hash{string => string}) —

  The AWS signed request dictionary object.

# File 'lib/googleauth/external_account/aws_credentials.rb', line 237

def generate_signed_request aws_credentials, original_request
  uri = Addressable::URI.parse original_request[:url]
  raise "Invalid AWS service URL" unless uri.hostname && uri.scheme == "https"
  service_name = uri.host.split(".").first

  datetime = Time.now.utc.strftime "%Y%m%dT%H%M%SZ"
  date = datetime[0, 8]

  headers = aws_headers aws_credentials, original_request, datetime

  request_payload = original_request[:data] || ""
  content_sha256 = sha256_hexdigest request_payload

  canonical_req = canonical_request original_request[:method], uri, headers, content_sha256
  sts = string_to_sign datetime, canonical_req, service_name

  # Authorization header requires everything else to be properly setup in order to be properly
  # calculated.
  headers["Authorization"] = build_authorization_header headers, sts, aws_credentials, service_name, date

  {
    url: uri.to_s,
    headers: headers,
    method: original_request[:method],
    data: (request_payload unless request_payload.empty?)
  }.compact
end