tessl/pypi-aws-requests-auth
AWS signature version 4 signing process for the python requests module
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-aws-requests-auth@0.4.0index.mddocs/
AWS Requests Auth
AWS signature version 4 signing process implementation for Python requests library. Enables secure authentication to AWS services with comprehensive support for temporary credentials and automatic credential discovery through botocore integration.
Package Information
- Package Name: aws-requests-auth
- Language: Python
- Installation:
pip install aws-requests-auth - Dependencies: requests >= 0.14.0
- Optional Dependencies: botocore (for automatic credential discovery)
Core Imports
from aws_requests_auth.aws_auth import AWSRequestsAuthFor automatic credential discovery:
from aws_requests_auth.boto_utils import BotoAWSRequestsAuth, get_credentialsFor low-level signing utilities (internal use):
from aws_requests_auth.aws_auth import sign, getSignatureKeyBasic Usage
Manual Credential Authentication
import requests
from aws_requests_auth.aws_auth import AWSRequestsAuth
# Create authentication instance with explicit credentials
auth = AWSRequestsAuth(
aws_access_key='YOUR_ACCESS_KEY',
aws_secret_access_key='YOUR_SECRET_KEY',
aws_host='search-service-example.us-east-1.es.amazonaws.com',
aws_region='us-east-1',
aws_service='es'
)
# Use with requests
response = requests.get(
'https://search-service-example.us-east-1.es.amazonaws.com',
auth=auth
)Automatic Credential Discovery
import requests
from aws_requests_auth.boto_utils import BotoAWSRequestsAuth
# Credentials auto-discovered from environment, config files, or IAM role
auth = BotoAWSRequestsAuth(
aws_host='search-service-example.us-east-1.es.amazonaws.com',
aws_region='us-east-1',
aws_service='es'
)
response = requests.get(
'https://search-service-example.us-east-1.es.amazonaws.com',
auth=auth
)Integration with elasticsearch-py
from aws_requests_auth.aws_auth import AWSRequestsAuth
from elasticsearch import Elasticsearch, RequestsHttpConnection
auth = AWSRequestsAuth(
aws_access_key='YOUR_ACCESS_KEY',
aws_secret_access_key='YOUR_SECRET_KEY',
aws_host='search-service-example.us-east-1.es.amazonaws.com',
aws_region='us-east-1',
aws_service='es'
)
es_client = Elasticsearch(
host='search-service-example.us-east-1.es.amazonaws.com',
port=443,
connection_class=RequestsHttpConnection,
http_auth=auth,
use_ssl=True
)Capabilities
Manual Authentication
Primary authentication class for explicit credential management with full control over AWS signature version 4 signing process.
class AWSRequestsAuth(requests.auth.AuthBase):
"""
Auth class for AWS services using signature version 4 signing process.
Implements requests.auth.AuthBase interface.
"""
def __init__(self, aws_access_key, aws_secret_access_key, aws_host,
aws_region, aws_service, aws_token=None):
"""
Initialize authentication with explicit credentials.
Parameters:
- aws_access_key (str): AWS access key ID
- aws_secret_access_key (str): AWS secret access key
- aws_host (str): AWS service hostname (e.g., 'service.region.amazonaws.com')
- aws_region (str): AWS region name (e.g., 'us-east-1')
- aws_service (str): AWS service name (e.g., 'es', 'execute-api')
- aws_token (str, optional): STS temporary credentials token
"""
def __call__(self, r):
"""
Adds AWS signature headers to request.
Called automatically by requests library.
Parameters:
- r (requests.Request): Request object to be signed
Returns:
requests.Request: Modified request with AWS signature headers
"""
def get_aws_request_headers_handler(self, r):
"""
Override point for custom credential handling.
Default implementation uses instance credentials.
Parameters:
- r (requests.Request): Request object
Returns:
dict: Dictionary of AWS authorization headers
"""
def get_aws_request_headers(self, r, aws_access_key, aws_secret_access_key,
aws_token=None):
"""
Generates AWS signature version 4 headers.
Parameters:
- r (requests.Request): Request object
- aws_access_key (str): AWS access key ID
- aws_secret_access_key (str): AWS secret access key
- aws_token (str, optional): STS token
Returns:
dict: Dictionary with Authorization, x-amz-date, x-amz-content-sha256 headers
"""
@classmethod
def get_canonical_path(cls, r):
"""
Creates canonical URI path for AWS signing.
Uses urllib quote with safe chars '/-_.~'
Parameters:
- r (requests.Request): Request object
Returns:
str: URL-encoded canonical path
"""
@classmethod
def get_canonical_querystring(cls, r):
"""
Creates canonical query string for AWS signing.
Assumes query parameters are already URL-encoded.
Sorts parameters by name as required by AWS.
Parameters:
- r (requests.Request): Request object
Returns:
str: Sorted, encoded query string
"""Automatic Credential Discovery
Authentication class that automatically discovers and refreshes AWS credentials using botocore's credential chain.
class BotoAWSRequestsAuth(AWSRequestsAuth):
"""
Auto-refreshing authentication using botocore credential discovery.
Inherits from AWSRequestsAuth with automatic credential management.
Requires botocore package.
"""
def __init__(self, aws_host, aws_region, aws_service):
"""
Initialize with automatic credential discovery.
Credentials found via botocore credential chain:
- Environment variables
- AWS config files
- IAM role
- EC2 instance metadata
Parameters:
- aws_host (str): AWS service hostname
- aws_region (str): AWS region name
- aws_service (str): AWS service name
"""
def get_aws_request_headers_handler(self, r):
"""
Provides fresh credentials for each request.
Automatically refreshes expired credentials.
Parameters:
- r (requests.Request): Request object
Returns:
dict: Dictionary of AWS authorization headers with refreshed credentials
"""
def get_credentials(credentials_obj=None):
"""
Retrieves AWS credentials using botocore session.
Parameters:
- credentials_obj (botocore.credentials, optional): botocore credentials object
If None, creates new session
Returns:
dict: Dictionary with keys:
- aws_access_key (str): Access key ID
- aws_secret_access_key (str): Secret access key
- aws_token (str or None): Session token (None if not using temporary credentials)
"""Low-level Signing Utilities
Core signing functions used internally by AWSRequestsAuth. These are primarily for advanced users implementing custom AWS signature logic.
def sign(key, msg):
"""
HMAC-SHA256 signing utility function.
Used internally for AWS signature generation.
Parameters:
- key (bytes): Signing key as bytes
- msg (str): Message to sign as string
Returns:
bytes: HMAC digest as bytes
"""
def getSignatureKey(key, dateStamp, regionName, serviceName):
"""
Creates AWS Signature Version 4 signing key.
Used internally for AWS signature generation.
Parameters:
- key (str): AWS secret access key
- dateStamp (str): Date stamp in YYYYMMDD format
- regionName (str): AWS region name
- serviceName (str): AWS service name
Returns:
bytes: Signing key as bytes
"""Common Use Cases
AWS Elasticsearch Service
from aws_requests_auth.aws_auth import AWSRequestsAuth
import requests
auth = AWSRequestsAuth(
aws_access_key='YOUR_KEY',
aws_secret_access_key='YOUR_SECRET',
aws_host='search-domain.us-east-1.es.amazonaws.com',
aws_region='us-east-1',
aws_service='es'
)
response = requests.get(
'https://search-domain.us-east-1.es.amazonaws.com/_cluster/health',
auth=auth
)AWS API Gateway with IAM Authentication
from aws_requests_auth.boto_utils import BotoAWSRequestsAuth
import requests
auth = BotoAWSRequestsAuth(
aws_host='api.example.com',
aws_region='us-east-1',
aws_service='execute-api'
)
response = requests.post(
'https://api.example.com/prod/endpoint',
json={'data': 'value'},
auth=auth
)AWS Lambda with Environment Variables
import os
from aws_requests_auth.aws_auth import AWSRequestsAuth
def lambda_handler(event, context):
auth = AWSRequestsAuth(
aws_access_key=os.environ['AWS_ACCESS_KEY_ID'],
aws_secret_access_key=os.environ['AWS_SECRET_ACCESS_KEY'],
aws_token=os.environ['AWS_SESSION_TOKEN'],
aws_host='service.region.amazonaws.com',
aws_region='us-east-1',
aws_service='es'
)
# Use auth with requests...Temporary Security Credentials (STS)
from aws_requests_auth.aws_auth import AWSRequestsAuth
# Include aws_token for STS temporary credentials
auth = AWSRequestsAuth(
aws_access_key='TEMP_ACCESS_KEY',
aws_secret_access_key='TEMP_SECRET_KEY',
aws_token='SESSION_TOKEN', # Required for STS
aws_host='service.region.amazonaws.com',
aws_region='us-east-1',
aws_service='es'
)Error Handling
The authentication classes integrate with requests' error handling. Common issues:
- Invalid credentials: Results in HTTP 403 Forbidden responses
- Incorrect region/service: Results in HTTP 403 with AWS signature mismatch errors
- Missing botocore: ImportError when using BotoAWSRequestsAuth
- Query parameter encoding: Ensure parameters are URL-encoded before reaching canonical_querystring
Cross-Platform Support
- Python 2.7 and 3.x: Full compatibility with automatic import handling
- URL encoding: Handles both Python 2 (urllib) and Python 3 (urllib.parse) imports
- String encoding: Proper handling of unicode strings across Python versions