AWS / Amazon Signature v4 Signing Process authentication plugin for HTTPie.
$ pip install --upgrade httpie-aws-authv4
You should now see aws4 under --auth-type / -A in $ http --help output.
This authentication plugin looks for credentials in the same precedence that the AWS CLI tool does.
$ http --auth-type aws4 https://asdf123a9sas.execute-api.ap-southeast-2.amazonaws.com/dev/test
Using the --auth parameter, you can specify explicit parameters to be used in the calculation of the Sigv4 signature.
$ http --auth-type aws4 --auth access_key=AWSACCESSKEYXXX,secret_key=AWSSECRETKEYXXX,service=execute-api,region=ap-southeast-2 https://asdf123a9sas.execute-api.ap-southeast-2.amazonaws.com/dev/test
The following arguments are supported via the --auth flag. They can be referenced via their full or short name for convenience.
- access_key (ak) - AWS Access Key.
- secret_key (sk) - AWS Secret Key.
- profile (p) - AWS profile to use.
- domain (d) - Domain name to use when signing the request.
- service (s) - AWS service name to use when signing the request (ie,
execute-api). - region (r) - AWS region the endpoint is located in.
You can specify another profile than the default profile:
$ http --auth-type aws4 --auth profile=XXX https://asdf123a9sas.execute-api.ap-southeast-2.amazonaws.com/dev/test
If for some reason you are not hitting the AWS endpoint directly (common with API Gateway), you will need to specify the AWS provided service and region:
$ http --auth-type aws4 --auth s=execute-api,r=eu-west-1 https://api.awesomeservice.net/dev/test
$ http --auth-type aws4 --auth service=execute-api,region=eu-west-1 https://api.awesomeservice.net/dev/test
Instead of specifying service and region you can specify domain which is then parsed.
$ http --auth-type aws4 --auth d=asdf123a9sas.execute-api.ap-southeast-2.amazonaws.com https://api.awesomeservice.net/dev/test
$ http --auth-type aws4 --auth domain=asdf123a9sas.execute-api.ap-southeast-2.amazonaws.com https://api.awesomeservice.net/dev/test
$ http --auth-type aws4 --auth ak=ACCESSKEYXXX,sk=AWSSECRETKEYXXX,d=asdf123a9sas.execute-api.ap-southeast-2.amazonaws.com https://api.awesomeservice.net/dev/test
$ http --auth-type aws4 --auth access_key=ACCESSKEYXXX,secret_key=AWSSECRETKEYXXX,domain=asdf123a9sas.execute-api.ap-southeast-2.amazonaws.com https://api.awesomeservice.net/dev/test
$ http --auth-type aws4 --auth p=XXX,d=asdf123a9sas.execute-api.ap-southeast-2.amazonaws.com https://api.awesomeservice.net/dev/test
$ http --auth-type aws4 --auth profile=XXX,domain=asdf123a9sas.execute-api.ap-southeast-2.amazonaws.com https://api.awesomeservice.net/dev/test
Many AWS services do not require any extra information to be passed other than the URL, such as the following call to the S3 service which will list all S3 Buckets in the given AWS account:
http -A aws4 s3.us-east-1.amazonaws.com
However, some AWS services will require extra information to be passed using query string parameters. By default, httpie passes
extra parameters as a JSON body. httpie can be told to pass extra parameters as form fields using the -f flag like so:
$ http -f -A aws4 ec2.us-east-1.amazonaws.com Action=DescribeVpcs Version=2015-10-01
where the Action and Version parameters were passed to the EC2 service to call the DescribeVpcs API.
Alternatively instead of using the -f flag, == can be used for each parameter like so:
$ http -A aws4 ec2.us-east-1.amazonaws.com Action==DescribeVpcs Version==2015-10-01
All of the heavy lifting (the signing process) is handled by aws-requests-auth