AwsRequestSigning (proto)

This extension has the qualified name envoy.filters.http.aws_request_signing


This extension is functional but has not had substantial production burn time, use only with this caveat.

This extension is not hardened and should only be used in deployments where both the downstream and upstream are trusted.


This extension extends and can be used with the following extension category:

This extension must be configured with one of the following type URLs:

AwsRequestSigning configuration overview.


[extensions.filters.http.aws_request_signing.v3.AwsRequestSigning proto]

Top level configuration for the AWS request signing filter.

  "service_name": ...,
  "region": ...,
  "host_rewrite": ...,
  "use_unsigned_payload": ...,
  "match_excluded_headers": []

(string, REQUIRED) The service namespace of the HTTP endpoint.

Example: s3


(string, REQUIRED) The region hosting the HTTP endpoint.

Example: us-west-2


(string) Indicates that before signing headers, the host header will be swapped with this value. If not set or empty, the original host header value will be used and no rewrite will happen.

Note: this rewrite affects both signing and host header forwarding. However, this option shouldn’t be used with HCM host rewrite given that the value set here would be used for signing whereas the value set in the HCM would be used for host header forwarding which is not the desired outcome.


(bool) Instead of buffering the request to calculate the payload hash, use the literal string UNSIGNED-PAYLOAD to calculate the payload hash. Not all services support this option. See the S3 policy for details.


(repeated type.matcher.v3.StringMatcher) A list of request header string matchers that will be excluded from signing. The excluded header can be matched by any patterns defined in the StringMatcher proto (e.g. exact string, prefix, regex, etc).

Example: match_excluded_headers: - prefix: x-envoy - exact: foo - exact: bar When applied, all headers that start with “x-envoy” and headers “foo” and “bar” will not be signed.