1aws4 2---- 3 4[](http://travis-ci.org/mhart/aws4) 5 6A small utility to sign vanilla node.js http(s) request options using Amazon's 7[AWS Signature Version 4](http://docs.amazonwebservices.com/general/latest/gr/signature-version-4.html). 8 9Can also be used [in the browser](./browser). 10 11This signature is supported by nearly all Amazon services, including 12[S3](http://docs.aws.amazon.com/AmazonS3/latest/API/), 13[EC2](http://docs.aws.amazon.com/AWSEC2/latest/APIReference/), 14[DynamoDB](http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/API.html), 15[Kinesis](http://docs.aws.amazon.com/kinesis/latest/APIReference/), 16[Lambda](http://docs.aws.amazon.com/lambda/latest/dg/API_Reference.html), 17[SQS](http://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/), 18[SNS](http://docs.aws.amazon.com/sns/latest/api/), 19[IAM](http://docs.aws.amazon.com/IAM/latest/APIReference/), 20[STS](http://docs.aws.amazon.com/STS/latest/APIReference/), 21[RDS](http://docs.aws.amazon.com/AmazonRDS/latest/APIReference/), 22[CloudWatch](http://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/), 23[CloudWatch Logs](http://docs.aws.amazon.com/AmazonCloudWatchLogs/latest/APIReference/), 24[CodeDeploy](http://docs.aws.amazon.com/codedeploy/latest/APIReference/), 25[CloudFront](http://docs.aws.amazon.com/AmazonCloudFront/latest/APIReference/), 26[CloudTrail](http://docs.aws.amazon.com/awscloudtrail/latest/APIReference/), 27[ElastiCache](http://docs.aws.amazon.com/AmazonElastiCache/latest/APIReference/), 28[EMR](http://docs.aws.amazon.com/ElasticMapReduce/latest/API/), 29[Glacier](http://docs.aws.amazon.com/amazonglacier/latest/dev/amazon-glacier-api.html), 30[CloudSearch](http://docs.aws.amazon.com/cloudsearch/latest/developerguide/APIReq.html), 31[Elastic Load Balancing](http://docs.aws.amazon.com/ElasticLoadBalancing/latest/APIReference/), 32[Elastic Transcoder](http://docs.aws.amazon.com/elastictranscoder/latest/developerguide/api-reference.html), 33[CloudFormation](http://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/), 34[Elastic Beanstalk](http://docs.aws.amazon.com/elasticbeanstalk/latest/api/), 35[Storage Gateway](http://docs.aws.amazon.com/storagegateway/latest/userguide/AWSStorageGatewayAPI.html), 36[Data Pipeline](http://docs.aws.amazon.com/datapipeline/latest/APIReference/), 37[Direct Connect](http://docs.aws.amazon.com/directconnect/latest/APIReference/), 38[Redshift](http://docs.aws.amazon.com/redshift/latest/APIReference/), 39[OpsWorks](http://docs.aws.amazon.com/opsworks/latest/APIReference/), 40[SES](http://docs.aws.amazon.com/ses/latest/APIReference/), 41[SWF](http://docs.aws.amazon.com/amazonswf/latest/apireference/), 42[AutoScaling](http://docs.aws.amazon.com/AutoScaling/latest/APIReference/), 43[Mobile Analytics](http://docs.aws.amazon.com/mobileanalytics/latest/ug/server-reference.html), 44[Cognito Identity](http://docs.aws.amazon.com/cognitoidentity/latest/APIReference/), 45[Cognito Sync](http://docs.aws.amazon.com/cognitosync/latest/APIReference/), 46[Container Service](http://docs.aws.amazon.com/AmazonECS/latest/APIReference/), 47[AppStream](http://docs.aws.amazon.com/appstream/latest/developerguide/appstream-api-rest.html), 48[Key Management Service](http://docs.aws.amazon.com/kms/latest/APIReference/), 49[Config](http://docs.aws.amazon.com/config/latest/APIReference/), 50[CloudHSM](http://docs.aws.amazon.com/cloudhsm/latest/dg/api-ref.html), 51[Route53](http://docs.aws.amazon.com/Route53/latest/APIReference/requests-rest.html) and 52[Route53 Domains](http://docs.aws.amazon.com/Route53/latest/APIReference/requests-rpc.html). 53 54Indeed, the only AWS services that *don't* support v4 as of 2014-12-30 are 55[Import/Export](http://docs.aws.amazon.com/AWSImportExport/latest/DG/api-reference.html) and 56[SimpleDB](http://docs.aws.amazon.com/AmazonSimpleDB/latest/DeveloperGuide/SDB_API.html) 57(they only support [AWS Signature Version 2](https://github.com/mhart/aws2)). 58 59It also provides defaults for a number of core AWS headers and 60request parameters, making it very easy to query AWS services, or 61build out a fully-featured AWS library. 62 63Example 64------- 65 66```javascript 67var http = require('http'), 68 https = require('https'), 69 aws4 = require('aws4') 70 71// given an options object you could pass to http.request 72var opts = {host: 'sqs.us-east-1.amazonaws.com', path: '/?Action=ListQueues'} 73 74// alternatively (as aws4 can infer the host): 75opts = {service: 'sqs', region: 'us-east-1', path: '/?Action=ListQueues'} 76 77// alternatively (as us-east-1 is default): 78opts = {service: 'sqs', path: '/?Action=ListQueues'} 79 80aws4.sign(opts) // assumes AWS credentials are available in process.env 81 82console.log(opts) 83/* 84{ 85 host: 'sqs.us-east-1.amazonaws.com', 86 path: '/?Action=ListQueues', 87 headers: { 88 Host: 'sqs.us-east-1.amazonaws.com', 89 'X-Amz-Date': '20121226T061030Z', 90 Authorization: 'AWS4-HMAC-SHA256 Credential=ABCDEF/20121226/us-east-1/sqs/aws4_request, ...' 91 } 92} 93*/ 94 95// we can now use this to query AWS using the standard node.js http API 96http.request(opts, function(res) { res.pipe(process.stdout) }).end() 97/* 98<?xml version="1.0"?> 99<ListQueuesResponse xmlns="http://queue.amazonaws.com/doc/2012-11-05/"> 100... 101*/ 102``` 103 104More options 105------------ 106 107```javascript 108// you can also pass AWS credentials in explicitly (otherwise taken from process.env) 109aws4.sign(opts, {accessKeyId: '', secretAccessKey: ''}) 110 111// can also add the signature to query strings 112aws4.sign({service: 's3', path: '/my-bucket?X-Amz-Expires=12345', signQuery: true}) 113 114// create a utility function to pipe to stdout (with https this time) 115function request(o) { https.request(o, function(res) { res.pipe(process.stdout) }).end(o.body || '') } 116 117// aws4 can infer the HTTP method if a body is passed in 118// method will be POST and Content-Type: 'application/x-www-form-urlencoded; charset=utf-8' 119request(aws4.sign({service: 'iam', body: 'Action=ListGroups&Version=2010-05-08'})) 120/* 121<ListGroupsResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/"> 122... 123*/ 124 125// can specify any custom option or header as per usual 126request(aws4.sign({ 127 service: 'dynamodb', 128 region: 'ap-southeast-2', 129 method: 'POST', 130 path: '/', 131 headers: { 132 'Content-Type': 'application/x-amz-json-1.0', 133 'X-Amz-Target': 'DynamoDB_20120810.ListTables' 134 }, 135 body: '{}' 136})) 137/* 138{"TableNames":[]} 139... 140*/ 141 142// works with all other services that support Signature Version 4 143 144request(aws4.sign({service: 's3', path: '/', signQuery: true})) 145/* 146<ListAllMyBucketsResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/"> 147... 148*/ 149 150request(aws4.sign({service: 'ec2', path: '/?Action=DescribeRegions&Version=2014-06-15'})) 151/* 152<DescribeRegionsResponse xmlns="http://ec2.amazonaws.com/doc/2014-06-15/"> 153... 154*/ 155 156request(aws4.sign({service: 'sns', path: '/?Action=ListTopics&Version=2010-03-31'})) 157/* 158<ListTopicsResponse xmlns="http://sns.amazonaws.com/doc/2010-03-31/"> 159... 160*/ 161 162request(aws4.sign({service: 'sts', path: '/?Action=GetSessionToken&Version=2011-06-15'})) 163/* 164<GetSessionTokenResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/"> 165... 166*/ 167 168request(aws4.sign({service: 'cloudsearch', path: '/?Action=ListDomainNames&Version=2013-01-01'})) 169/* 170<ListDomainNamesResponse xmlns="http://cloudsearch.amazonaws.com/doc/2013-01-01/"> 171... 172*/ 173 174request(aws4.sign({service: 'ses', path: '/?Action=ListIdentities&Version=2010-12-01'})) 175/* 176<ListIdentitiesResponse xmlns="http://ses.amazonaws.com/doc/2010-12-01/"> 177... 178*/ 179 180request(aws4.sign({service: 'autoscaling', path: '/?Action=DescribeAutoScalingInstances&Version=2011-01-01'})) 181/* 182<DescribeAutoScalingInstancesResponse xmlns="http://autoscaling.amazonaws.com/doc/2011-01-01/"> 183... 184*/ 185 186request(aws4.sign({service: 'elasticloadbalancing', path: '/?Action=DescribeLoadBalancers&Version=2012-06-01'})) 187/* 188<DescribeLoadBalancersResponse xmlns="http://elasticloadbalancing.amazonaws.com/doc/2012-06-01/"> 189... 190*/ 191 192request(aws4.sign({service: 'cloudformation', path: '/?Action=ListStacks&Version=2010-05-15'})) 193/* 194<ListStacksResponse xmlns="http://cloudformation.amazonaws.com/doc/2010-05-15/"> 195... 196*/ 197 198request(aws4.sign({service: 'elasticbeanstalk', path: '/?Action=ListAvailableSolutionStacks&Version=2010-12-01'})) 199/* 200<ListAvailableSolutionStacksResponse xmlns="http://elasticbeanstalk.amazonaws.com/docs/2010-12-01/"> 201... 202*/ 203 204request(aws4.sign({service: 'rds', path: '/?Action=DescribeDBInstances&Version=2012-09-17'})) 205/* 206<DescribeDBInstancesResponse xmlns="http://rds.amazonaws.com/doc/2012-09-17/"> 207... 208*/ 209 210request(aws4.sign({service: 'monitoring', path: '/?Action=ListMetrics&Version=2010-08-01'})) 211/* 212<ListMetricsResponse xmlns="http://monitoring.amazonaws.com/doc/2010-08-01/"> 213... 214*/ 215 216request(aws4.sign({service: 'redshift', path: '/?Action=DescribeClusters&Version=2012-12-01'})) 217/* 218<DescribeClustersResponse xmlns="http://redshift.amazonaws.com/doc/2012-12-01/"> 219... 220*/ 221 222request(aws4.sign({service: 'cloudfront', path: '/2014-05-31/distribution'})) 223/* 224<DistributionList xmlns="http://cloudfront.amazonaws.com/doc/2014-05-31/"> 225... 226*/ 227 228request(aws4.sign({service: 'elasticache', path: '/?Action=DescribeCacheClusters&Version=2014-07-15'})) 229/* 230<DescribeCacheClustersResponse xmlns="http://elasticache.amazonaws.com/doc/2014-07-15/"> 231... 232*/ 233 234request(aws4.sign({service: 'elasticmapreduce', path: '/?Action=DescribeJobFlows&Version=2009-03-31'})) 235/* 236<DescribeJobFlowsResponse xmlns="http://elasticmapreduce.amazonaws.com/doc/2009-03-31"> 237... 238*/ 239 240request(aws4.sign({service: 'route53', path: '/2013-04-01/hostedzone'})) 241/* 242<ListHostedZonesResponse xmlns="https://route53.amazonaws.com/doc/2013-04-01/"> 243... 244*/ 245 246request(aws4.sign({service: 'appstream', path: '/applications'})) 247/* 248{"_links":{"curie":[{"href":"http://docs.aws.amazon.com/appstream/latest/... 249... 250*/ 251 252request(aws4.sign({service: 'cognito-sync', path: '/identitypools'})) 253/* 254{"Count":0,"IdentityPoolUsages":[],"MaxResults":16,"NextToken":null} 255... 256*/ 257 258request(aws4.sign({service: 'elastictranscoder', path: '/2012-09-25/pipelines'})) 259/* 260{"NextPageToken":null,"Pipelines":[]} 261... 262*/ 263 264request(aws4.sign({service: 'lambda', path: '/2014-11-13/functions/'})) 265/* 266{"Functions":[],"NextMarker":null} 267... 268*/ 269 270request(aws4.sign({service: 'ecs', path: '/?Action=ListClusters&Version=2014-11-13'})) 271/* 272<ListClustersResponse xmlns="http://ecs.amazonaws.com/doc/2014-11-13/"> 273... 274*/ 275 276request(aws4.sign({service: 'glacier', path: '/-/vaults', headers: {'X-Amz-Glacier-Version': '2012-06-01'}})) 277/* 278{"Marker":null,"VaultList":[]} 279... 280*/ 281 282request(aws4.sign({service: 'storagegateway', body: '{}', headers: { 283 'Content-Type': 'application/x-amz-json-1.1', 284 'X-Amz-Target': 'StorageGateway_20120630.ListGateways' 285}})) 286/* 287{"Gateways":[]} 288... 289*/ 290 291request(aws4.sign({service: 'datapipeline', body: '{}', headers: { 292 'Content-Type': 'application/x-amz-json-1.1', 293 'X-Amz-Target': 'DataPipeline.ListPipelines' 294}})) 295/* 296{"hasMoreResults":false,"pipelineIdList":[]} 297... 298*/ 299 300request(aws4.sign({service: 'opsworks', body: '{}', headers: { 301 'Content-Type': 'application/x-amz-json-1.1', 302 'X-Amz-Target': 'OpsWorks_20130218.DescribeStacks' 303}})) 304/* 305{"Stacks":[]} 306... 307*/ 308 309request(aws4.sign({service: 'route53domains', body: '{}', headers: { 310 'Content-Type': 'application/x-amz-json-1.1', 311 'X-Amz-Target': 'Route53Domains_v20140515.ListDomains' 312}})) 313/* 314{"Domains":[]} 315... 316*/ 317 318request(aws4.sign({service: 'kinesis', body: '{}', headers: { 319 'Content-Type': 'application/x-amz-json-1.1', 320 'X-Amz-Target': 'Kinesis_20131202.ListStreams' 321}})) 322/* 323{"HasMoreStreams":false,"StreamNames":[]} 324... 325*/ 326 327request(aws4.sign({service: 'cloudtrail', body: '{}', headers: { 328 'Content-Type': 'application/x-amz-json-1.1', 329 'X-Amz-Target': 'CloudTrail_20131101.DescribeTrails' 330}})) 331/* 332{"trailList":[]} 333... 334*/ 335 336request(aws4.sign({service: 'logs', body: '{}', headers: { 337 'Content-Type': 'application/x-amz-json-1.1', 338 'X-Amz-Target': 'Logs_20140328.DescribeLogGroups' 339}})) 340/* 341{"logGroups":[]} 342... 343*/ 344 345request(aws4.sign({service: 'codedeploy', body: '{}', headers: { 346 'Content-Type': 'application/x-amz-json-1.1', 347 'X-Amz-Target': 'CodeDeploy_20141006.ListApplications' 348}})) 349/* 350{"applications":[]} 351... 352*/ 353 354request(aws4.sign({service: 'directconnect', body: '{}', headers: { 355 'Content-Type': 'application/x-amz-json-1.1', 356 'X-Amz-Target': 'OvertureService.DescribeConnections' 357}})) 358/* 359{"connections":[]} 360... 361*/ 362 363request(aws4.sign({service: 'kms', body: '{}', headers: { 364 'Content-Type': 'application/x-amz-json-1.1', 365 'X-Amz-Target': 'TrentService.ListKeys' 366}})) 367/* 368{"Keys":[],"Truncated":false} 369... 370*/ 371 372request(aws4.sign({service: 'config', body: '{}', headers: { 373 'Content-Type': 'application/x-amz-json-1.1', 374 'X-Amz-Target': 'StarlingDoveService.DescribeDeliveryChannels' 375}})) 376/* 377{"DeliveryChannels":[]} 378... 379*/ 380 381request(aws4.sign({service: 'cloudhsm', body: '{}', headers: { 382 'Content-Type': 'application/x-amz-json-1.1', 383 'X-Amz-Target': 'CloudHsmFrontendService.ListAvailableZones' 384}})) 385/* 386{"AZList":["us-east-1a","us-east-1b","us-east-1c"]} 387... 388*/ 389 390request(aws4.sign({ 391 service: 'swf', 392 body: '{"registrationStatus":"REGISTERED"}', 393 headers: { 394 'Content-Type': 'application/x-amz-json-1.0', 395 'X-Amz-Target': 'SimpleWorkflowService.ListDomains' 396 } 397})) 398/* 399{"domainInfos":[]} 400... 401*/ 402 403request(aws4.sign({ 404 service: 'cognito-identity', 405 body: '{"MaxResults": 1}', 406 headers: { 407 'Content-Type': 'application/x-amz-json-1.1', 408 'X-Amz-Target': 'AWSCognitoIdentityService.ListIdentityPools' 409 } 410})) 411/* 412{"IdentityPools":[]} 413... 414*/ 415 416request(aws4.sign({ 417 service: 'mobileanalytics', 418 path: '/2014-06-05/events', 419 body: JSON.stringify({events:[{ 420 eventType: 'a', 421 timestamp: new Date().toISOString(), 422 session: {}, 423 }]}), 424 headers: { 425 'Content-Type': 'application/json', 426 'X-Amz-Client-Context': JSON.stringify({ 427 client: {client_id: 'a', app_title: 'a'}, 428 custom: {}, 429 env: {platform: 'a'}, 430 services: {}, 431 }), 432 } 433})) 434/* 435(HTTP 202, empty response) 436*/ 437 438// Generate CodeCommit Git access password 439var signer = new aws4.RequestSigner({ 440 service: 'codecommit', 441 host: 'git-codecommit.us-east-1.amazonaws.com', 442 method: 'GIT', 443 path: '/v1/repos/MyAwesomeRepo', 444}) 445var password = signer.getDateTime() + 'Z' + signer.signature() 446``` 447 448API 449--- 450 451### aws4.sign(requestOptions, [credentials]) 452 453This calculates and populates the `Authorization` header of 454`requestOptions`, and any other necessary AWS headers and/or request 455options. Returns `requestOptions` as a convenience for chaining. 456 457`requestOptions` is an object holding the same options that the node.js 458[http.request](http://nodejs.org/docs/latest/api/http.html#http_http_request_options_callback) 459function takes. 460 461The following properties of `requestOptions` are used in the signing or 462populated if they don't already exist: 463 464- `hostname` or `host` (will be determined from `service` and `region` if not given) 465- `method` (will use `'GET'` if not given or `'POST'` if there is a `body`) 466- `path` (will use `'/'` if not given) 467- `body` (will use `''` if not given) 468- `service` (will be calculated from `hostname` or `host` if not given) 469- `region` (will be calculated from `hostname` or `host` or use `'us-east-1'` if not given) 470- `headers['Host']` (will use `hostname` or `host` or be calculated if not given) 471- `headers['Content-Type']` (will use `'application/x-www-form-urlencoded; charset=utf-8'` 472 if not given and there is a `body`) 473- `headers['Date']` (used to calculate the signature date if given, otherwise `new Date` is used) 474 475Your AWS credentials (which can be found in your 476[AWS console](https://portal.aws.amazon.com/gp/aws/securityCredentials)) 477can be specified in one of two ways: 478 479- As the second argument, like this: 480 481```javascript 482aws4.sign(requestOptions, { 483 secretAccessKey: "<your-secret-access-key>", 484 accessKeyId: "<your-access-key-id>", 485 sessionToken: "<your-session-token>" 486}) 487``` 488 489- From `process.env`, such as this: 490 491``` 492export AWS_SECRET_ACCESS_KEY="<your-secret-access-key>" 493export AWS_ACCESS_KEY_ID="<your-access-key-id>" 494export AWS_SESSION_TOKEN="<your-session-token>" 495``` 496 497(will also use `AWS_ACCESS_KEY` and `AWS_SECRET_KEY` if available) 498 499The `sessionToken` property and `AWS_SESSION_TOKEN` environment variable are optional for signing 500with [IAM STS temporary credentials](http://docs.aws.amazon.com/STS/latest/UsingSTS/using-temp-creds.html). 501 502Installation 503------------ 504 505With [npm](http://npmjs.org/) do: 506 507``` 508npm install aws4 509``` 510 511Can also be used [in the browser](./browser). 512 513Thanks 514------ 515 516Thanks to [@jed](https://github.com/jed) for his 517[dynamo-client](https://github.com/jed/dynamo-client) lib where I first 518committed and subsequently extracted this code. 519 520Also thanks to the 521[official node.js AWS SDK](https://github.com/aws/aws-sdk-js) for giving 522me a start on implementing the v4 signature. 523 524
){kind=link}