AwsRequestSigning (proto)
This extension has the qualified name envoy.filters.http.aws_request_signing
Note
This extension is functional but has not had substantial production burn time, use only with this caveat.
This extension is not hardened and should only be used in deployments where both the downstream and upstream are trusted.
Tip
This extension extends and can be used with the following extension categories:
This extension must be configured with one of the following type URLs:
AwsRequestSigning configuration overview.
extensions.filters.http.aws_request_signing.v3.AwsRequestSigning
[extensions.filters.http.aws_request_signing.v3.AwsRequestSigning proto]
Top level configuration for the AWS request signing filter.
{
"service_name": ...,
"region": ...,
"host_rewrite": ...,
"use_unsigned_payload": ...,
"match_excluded_headers": [],
"signing_algorithm": ...,
"query_string": {...}
}
- service_name
(string, REQUIRED) The service namespace of the HTTP endpoint.
Example: s3
- region
(string) Optional region string. If region is not provided, the region will be retrieved from the environment or AWS configuration files. See Regions for more details.
When signing_algorithm is set to
AWS_SIGV4
the region is a standard AWS region string for the service hosting the HTTP endpoint.Example: us-west-2
When signing_algorithm is set to
AWS_SIGV4A
the region is used as a region set.A region set is a comma separated list of AWS regions, such as
us-east-1,us-east-2
or wildcard*
or even region strings containing wildcards such asus-east-*
Example: ‘*’
By configuring a region set, a SigV4A signed request can be sent to multiple regions, rather than being valid for only a single region destination.
- host_rewrite
(string) Indicates that before signing headers, the host header will be swapped with this value. If not set or empty, the original host header value will be used and no rewrite will happen.
Note: this rewrite affects both signing and host header forwarding. However, this option shouldn’t be used with HCM host rewrite given that the value set here would be used for signing whereas the value set in the HCM would be used for host header forwarding which is not the desired outcome.
- use_unsigned_payload
(bool) Instead of buffering the request to calculate the payload hash, use the literal string
UNSIGNED-PAYLOAD
to calculate the payload hash. Not all services support this option. See the S3 policy for details.
- match_excluded_headers
(repeated type.matcher.v3.StringMatcher) A list of request header string matchers that will be excluded from signing. The excluded header can be matched by any patterns defined in the StringMatcher proto (e.g. exact string, prefix, regex, etc).
Example: match_excluded_headers: - prefix: x-envoy - exact: foo - exact: bar When applied, all headers that start with “x-envoy” and headers “foo” and “bar” will not be signed.
- signing_algorithm
(extensions.filters.http.aws_request_signing.v3.AwsRequestSigning.SigningAlgorithm) Optional Signing algorithm specifier, either
AWS_SIGV4
orAWS_SIGV4A
, defaulting toAWS_SIGV4
.
- query_string
(extensions.filters.http.aws_request_signing.v3.AwsRequestSigning.QueryString) If set, use the query string to store output of SigV4 or SigV4A calculation, rather than HTTP headers. The
Authorization
header will not be modified ifquery_string
is configured.Example: query_string: {}
extensions.filters.http.aws_request_signing.v3.AwsRequestSigning.QueryString
[extensions.filters.http.aws_request_signing.v3.AwsRequestSigning.QueryString proto]
{
"expiration_time": {...}
}
- expiration_time
(Duration) Optional expiration time for the query string parameters. As query string parameter based requests are replayable, in effect representing an API call that has already been authenticated, it is recommended to keep this expiration time as short as feasible. This value will default to 5 seconds and has a maximum value of 3600 seconds (1 hour).
Enum extensions.filters.http.aws_request_signing.v3.AwsRequestSigning.SigningAlgorithm
[extensions.filters.http.aws_request_signing.v3.AwsRequestSigning.SigningAlgorithm proto]
- AWS_SIGV4
(DEFAULT) Use SigV4 for signing
- AWS_SIGV4A
Use SigV4A for signing
extensions.filters.http.aws_request_signing.v3.AwsRequestSigningPerRoute
[extensions.filters.http.aws_request_signing.v3.AwsRequestSigningPerRoute proto]
{
"aws_request_signing": {...},
"stat_prefix": ...
}
- aws_request_signing
(extensions.filters.http.aws_request_signing.v3.AwsRequestSigning) Override the global configuration of the filter with this new config. This overrides the entire message of AwsRequestSigning and not at field level.
- stat_prefix
(string, REQUIRED) The human readable prefix to use when emitting stats.