AWS Request Signing

  • This filter should be configured with the type URL type.googleapis.com/envoy.extensions.filters.http.aws_request_signing.v3.AwsRequestSigning.

  • v3 API reference

Attention

The AWS request signing filter is experimental and is currently under active development.

The HTTP AWS request signing filter is used to access authenticated AWS services. It uses the existing AWS Credential Provider to get the secrets used for generating the required headers.

The use_unsigned_payload option determines whether or not requests are buffered so the request body can be used to compute the payload hash. Some services, such as S3, allow requests with unsigned payloads. Consult the AWS documentation and your service’s resource policies to determine if this option is appropriate.

When use_unsigned_payload is false (the default), requests which exceed the configured buffer limit will receive a 413 response. See the ref:flow control docs <faq_flow_control> for details.

The match_excluded_headers option allows excluding certain request headers from being signed. This usually applies to headers that are likely to mutate or are added later such as in retries. By default, the headers x-forwarded-for, x-forwarded-proto, and x-amzn-trace-id are always excluded.

Example configuration

Example filter configuration:

name: envoy.filters.http.aws_request_signing
typed_config:
  "@type": type.googleapis.com/envoy.extensions.filters.http.aws_request_signing.v3.AwsRequestSigning
  service_name: s3
  region: us-west-2
  use_unsigned_payload: true
  match_excluded_headers:
  - prefix: x-envoy
  - prefix: x-forwarded
  - exact: x-amzn-trace-id

Statistics

The AWS request signing filter outputs statistics in the http.<stat_prefix>.aws_request_signing. namespace. The stat prefix comes from the owning HTTP connection manager.

Name

Type

Description

signing_added

Counter

Total requests for which signing succeeded (includes payload_signing_added)

signing_failed

Counter

Total requests for which signing failed (includes payload_signing_failed)

payload_signing_added

Counter

Total requests for which the payload was buffered signing succeeded

payload_signing_failed

Counter

Total requests for which the payload was buffered but signing failed