RFC: Module to Sign Requests

[stephenbawks]

Is this related to an existing feature request or issue?

#2435

Which Powertools for AWS Lambda (Python) utility does this relate to?

Other

Summary

A new submodule would be used for signing requests.

Use case

Initially, my use case was for signing requests with SigV4 to talk to an endpoint that is using IAM policies in VPC Lattice.

Proposal

Started to create a new submodule in PowerTools to sign requests to endpoint and services that require SigV4 or IAM auth. I wanted to try and make the signing process easier since it's not always intuitive or easy.

Currently I am thinking that this initial change will mainly be for SigV4 signing. There is also SigV4A which I am thinking will be a different class from this one. The class name I have at the moment is AWSSigV4Auth so in the previous thought, I would may add another one that might be called AWSSigV4AAuth which now that I have written that down sounds confusing so I am open to suggestions on the naming here.

New class named AWSSigV4Auth that will handle SigV4 signing of requests.

A new enum that will handle the AWS Service Prefixes that are needed for IAM.
https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html
This will also abstract all the correct service prefixes that are needed and make it easier for people to just specify the service they want to talk to and it will figure out the rest.

VPC Lattice and API/HTTP API are some of the main services I would like to get this working with.

There are some conditional services like VPC Lattice as a good example that require the payload to NOT be signed so the enum from above will also help with that condition.

Out of scope

Not sure at this point.

Potential challenges

The issue was raised that maybe this module might also be used for other things that include requesting JWT tokens and possibly doing other forms of auth in the future.

Dependencies and Integrations

No response

Alternative solutions

No response

Acknowledgment

• This feature request meets Powertools for AWS Lambda (Python) Tenets
• Should this be considered in other Powertools for AWS Lambda languages? i.e. Java, TypeScript, and .NET

[heitorlessa]

hey @stephenbawks thanks a lot for creating the RFC so we can spend more time in the design -- for reference, this is how we typically triage RFCs along with some good ones.

Firstly, we definitely want to do this. It's a common pain point for everyone.

At face value, the RFC doesn't tell us much. Within a RFC, we need to have a good grasp of trade-offs, the developer experience, and factors we took into consideration to get to this proposal.

For example, this RFC can be improved by answering the following questions:

• What are the differences or gaps between SigV4Auth and the well-known aws-requests-auth library?
• Does the design take into account future extension to other Auth mechanisms? e.g., JWT, bring your own
• How does the experience look like from the customer point of view?
  • As a customer, I'd like to sign a HTTP request to send to an Amazon API Gateway endpoint (or VPC Lattice, AppSync etc)
  • As a customer, I'd like to sign a HTTP request using my temporary credentials
  • As a customer, I don't always remember the correct AWS service endpoint/name to sign my request (hint: Enum)
  • As a customer, I'd like to only provide the absolutely minimum information necessary to get my request signed
  • As a customer, I'd like to sign a HTTP request to an endpoint in a separate region

Let us know if you need help and we're happy to co-author.

Thank you!

[stephenbawks]

I will add some additional details and thoughts.

[heitorlessa]

adding status to on-hold until we launch v3 and complete Observability Providers. Adding help wanted as we'd love to hear more feedback from customers too.

[stephenbawks]

@heitorlessa

Just making sure I am on the same page, as of today the aws-requests-auth library is not included in Powertools correct?