AWS Signature 4 Auth Dynamic Value (Paw Extension)
A Paw Extension to compute AWS Signature version 4 authentication signatures for the accessing the main AWS services including REST APIs build using AWS API Gateway that are protected using IAM.
To install AWS Signature 4 authentication go to the Paw Extension page and click the "Install Extension" button.
For each request, add a header
Authorization and set the value to this extension (start typing "AWS" and select AWS Signature 4 or right-click on the value and choose Extensions > AWS Signature 4). Enter your credentials by clicking on the dynamic value extension. The AWS Access and Secret keys are required. If you leave the other fields blank they will use the defaults indicated.
Use X-Amz-Content-Sha256 header? option allows you to override the default content hashing behavior (primarily for binary payloads). Due to a limitation of the Paw extension API, the content of a request is always returned as a string to the extension. However, sha-256 hashing for the AWS API must be done on the binary data. In these cases, set the header and check this option so the header value is used for the content hash. Implementation thanks to @jimdelois.
Add a second header
X-Amz-Date. Set the value to custom timestamp (start typing "timestamp" and select the Custom formatting timestamp option or right click the value and select Timestamp > Custom formatting). Enter a custom timestamp format by clicking on the dynamic value extension, and selecting
Custom formatting from the format. Enter the value
%G%m%dT%H%M%SZ for the format. Make sure
Now is checked, delta is 0, and
local time is unchecked. AWS requires the time be within a few seconds of server time in UTC (not local time).
Optionally, you can set a
Host header to set the "host" value used in the signature calculation if it differs from the host used in the request URI. This use-case can occur when tunneling requests to the AWS API endpoints.
If you don't have something to test against, follow the Getting Started guide for the API Gateway service to create a basic "hello world" API. Make sure that the API is protected by IAM security by choosing "authorization type" of
AWS IAM in the console when configuring the method.
This extension was developed to test in-house API Gateway REST APIs. However, AWS Signature 4 is used to protect all the standard AWS service endpoints. By ensuring you have the correct
aws service setting for the extension you can manually call any of the AWS service endpoints using Paw.
Note: if you are a user of STS temporary credentials, you will also need a header
- Freeze dynamic values to obtain X-Amz-Date as generated and sent to client (will help with debugging and eliminates an edge case where the AWS signature can be generated in a different second than the X-Amz-Date).
- Need binary a version of HMAC SHA256 crypto function. Currently, the extension uses CryptJS which is fairly slow.
- If the Paw extension API supports it, correctly hash binary payloads and remove the
Use X-Amz-Content-Sha256 header?option.
- Update Makefile to support installing to both the standard and the Setapp versions of Paw.
Note: if you installed Paw using Setapp you will need to modify the Makefile to include the setapp specific container name (com.luckymarmot.Paw-setapp).
This Paw Extension is licensed under the MIT License. Feel free to fork, and modify!