AwsRequestSigning (proto)

This extension has the qualified name envoy.filters.http.aws_request_signing


This extension is functional but has not had substantial production burn time, use only with this caveat.

This extension is not hardened and should only be used in deployments where both the downstream and upstream are trusted.


This extension extends and can be used with the following extension categories:

This extension must be configured with one of the following type URLs:

AwsRequestSigning configuration overview.


[extensions.filters.http.aws_request_signing.v3.AwsRequestSigning proto]

Top level configuration for the AWS request signing filter.

  "service_name": ...,
  "region": ...,
  "host_rewrite": ...,
  "use_unsigned_payload": ...,
  "match_excluded_headers": [],
  "signing_algorithm": ...,
  "query_string": {...}

(string, REQUIRED) The service namespace of the HTTP endpoint.

Example: s3


(string) Optional region string. If region is not provided, the region will be retrieved from the environment or AWS configuration files. See Regions for more details.

When signing_algorithm is set to AWS_SIGV4 the region is a standard AWS region string for the service hosting the HTTP endpoint.

Example: us-west-2

When signing_algorithm is set to AWS_SIGV4A the region is used as a region set.

A region set is a comma separated list of AWS regions, such as us-east-1,us-east-2 or wildcard * or even region strings containing wildcards such as us-east-*

Example: ‘*’

By configuring a region set, a SigV4A signed request can be sent to multiple regions, rather than being valid for only a single region destination.


(string) Indicates that before signing headers, the host header will be swapped with this value. If not set or empty, the original host header value will be used and no rewrite will happen.

Note: this rewrite affects both signing and host header forwarding. However, this option shouldn’t be used with HCM host rewrite given that the value set here would be used for signing whereas the value set in the HCM would be used for host header forwarding which is not the desired outcome.


(bool) Instead of buffering the request to calculate the payload hash, use the literal string UNSIGNED-PAYLOAD to calculate the payload hash. Not all services support this option. See the S3 policy for details.


(repeated type.matcher.v3.StringMatcher) A list of request header string matchers that will be excluded from signing. The excluded header can be matched by any patterns defined in the StringMatcher proto (e.g. exact string, prefix, regex, etc).

Example: match_excluded_headers: - prefix: x-envoy - exact: foo - exact: bar When applied, all headers that start with “x-envoy” and headers “foo” and “bar” will not be signed.


(extensions.filters.http.aws_request_signing.v3.AwsRequestSigning.SigningAlgorithm) Optional Signing algorithm specifier, either AWS_SIGV4 or AWS_SIGV4A, defaulting to AWS_SIGV4.


(extensions.filters.http.aws_request_signing.v3.AwsRequestSigning.QueryString) If set, use the query string to store output of SigV4 or SigV4A calculation, rather than HTTP headers. The Authorization header will not be modified if query_string is configured.

Example: query_string: {}


[extensions.filters.http.aws_request_signing.v3.AwsRequestSigning.QueryString proto]

  "expiration_time": {...}

(Duration) Optional expiration time for the query string parameters. As query string parameter based requests are replayable, in effect representing an API call that has already been authenticated, it is recommended to keep this expiration time as short as feasible. This value will default to 5 seconds and has a maximum value of 3600 seconds (1 hour).

Enum extensions.filters.http.aws_request_signing.v3.AwsRequestSigning.SigningAlgorithm

[extensions.filters.http.aws_request_signing.v3.AwsRequestSigning.SigningAlgorithm proto]


(DEFAULT) ⁣Use SigV4 for signing


⁣Use SigV4A for signing


[extensions.filters.http.aws_request_signing.v3.AwsRequestSigningPerRoute proto]

  "aws_request_signing": {...},
  "stat_prefix": ...

(extensions.filters.http.aws_request_signing.v3.AwsRequestSigning) Override the global configuration of the filter with this new config. This overrides the entire message of AwsRequestSigning and not at field level.


(string, REQUIRED) The human readable prefix to use when emitting stats.