AWS Request Signing
This filter should be configured with the type URL
type.googleapis.com/envoy.extensions.filters.http.aws_request_signing.v3.AwsRequestSigning
.
Attention
The AWS request signing filter is experimental and is currently under active development.
The HTTP AWS request signing filter is used to access authenticated AWS services. It uses the existing AWS Credential Provider to get the secrets used for generating the required headers.
The use_unsigned_payload option determines whether or not requests are buffered so the request body can be used to compute the payload hash. Some services, such as S3, allow requests with unsigned payloads. Consult the AWS documentation and your service’s resource policies to determine if this option is appropriate.
When use_unsigned_payload is false (the default), requests which exceed the configured buffer limit will receive a 413 response. See the ref:flow control docs <faq_flow_control> for details.
The match_excluded_headers
option allows excluding certain request headers from being signed. This usually applies to headers that are likely to mutate or
are added later such as in retries. By default, the headers x-forwarded-for
, x-forwarded-proto
, and x-amzn-trace-id
are always excluded.
Example configuration
Example filter configuration:
25 http_filters:
26 - name: envoy.filters.http.aws_request_signing
27 typed_config:
28 "@type": type.googleapis.com/envoy.extensions.filters.http.aws_request_signing.v3.AwsRequestSigning
29 service_name: s3
30 region: us-west-2
31 use_unsigned_payload: true
32 match_excluded_headers:
33 - prefix: x-envoy
34 - prefix: x-forwarded
35 - exact: x-amzn-trace-id
Note that this filter also supports per route configuration:
20 routes:
21 - match:
22 prefix: "/"
23 route:
24 cluster: versioned-cluster
25 typed_per_filter_config:
26 envoy.filters.http.aws_request_signing:
27 "@type": type.googleapis.com/envoy.extensions.filters.http.aws_request_signing.v3.AwsRequestSigningPerRoute
28 aws_request_signing:
29 service_name: s3
30 region: us-west-1
31 use_unsigned_payload: true
32 host_rewrite: new-host
33 match_excluded_headers:
34 - prefix: x-envoy
35 - prefix: x-forwarded
36 - exact: x-amzn-trace-id
37 stat_prefix: some-prefix
Above shows an example of route-level config overriding the config on the virtual-host level.
Credentials
The filter uses a few different credentials providers to obtain an AWS access key ID, AWS secret access key, and AWS session token. It moves through the credentials providers in the order described below, stopping when one of them returns an access key ID and a secret access key (the session token is optional).
Environment variables. The environment variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN are used.
The AWS credentials file. The environment variables AWS_SHARED_CREDENTIALS_FILE and AWS_PROFILE are respected if they are set, else the file ‘~/.aws/credentials’ and profile ‘default’ are used. The fields ‘aws_access_key_id’, ‘aws_secret_access_key’, and ‘aws_session_token’ defined for the profile in the credentials file are used. These credentials are cached for 1 hour.
Either EC2 instance metadata or ECS task metadata. For EC2 instance metadata, the fields ‘AccessKeyId’, ‘SecretAccessKey’, and ‘Token’ are used, and credentials are cached for 1 hour. For ECS task metadata, the fields AccessKeyId’, ‘SecretAccessKey’, and ‘Token’ are used, and credentials are cached for 1 hour or until they expire (according to the field ‘Expiration’).
Statistics
The AWS request signing filter outputs statistics in the http.<stat_prefix>.aws_request_signing. namespace. The stat prefix comes from the owning HTTP connection manager.
Name |
Type |
Description |
---|---|---|
signing_added |
Counter |
Total requests for which signing succeeded (includes payload_signing_added) |
signing_failed |
Counter |
Total requests for which signing failed (includes payload_signing_failed) |
payload_signing_added |
Counter |
Total requests for which the payload was buffered signing succeeded |
payload_signing_failed |
Counter |
Total requests for which the payload was buffered but signing failed |