/
aws_request_signing.proto
66 lines (55 loc) · 2.94 KB
/
aws_request_signing.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
syntax = "proto3";
package envoy.extensions.filters.http.aws_request_signing.v3;
import "envoy/type/matcher/v3/string.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.extensions.filters.http.aws_request_signing.v3";
option java_outer_classname = "AwsRequestSigningProto";
option java_multiple_files = true;
option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/aws_request_signing/v3;aws_request_signingv3";
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: AwsRequestSigning]
// AwsRequestSigning :ref:`configuration overview <config_http_filters_aws_request_signing>`.
// [#extension: envoy.filters.http.aws_request_signing]
// Top level configuration for the AWS request signing filter.
// [#next-free-field: 6]
message AwsRequestSigning {
option (udpa.annotations.versioning).previous_message_type =
"envoy.config.filter.http.aws_request_signing.v2alpha.AwsRequestSigning";
// The `service namespace
// <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#genref-aws-service-namespaces>`_
// of the HTTP endpoint.
//
// Example: s3
string service_name = 1 [(validate.rules).string = {min_len: 1}];
// The `region <https://docs.aws.amazon.com/general/latest/gr/rande.html>`_ hosting the HTTP
// endpoint.
//
// Example: us-west-2
string region = 2 [(validate.rules).string = {min_len: 1}];
// Indicates that before signing headers, the host header will be swapped with
// this value. If not set or empty, the original host header value
// will be used and no rewrite will happen.
//
// Note: this rewrite affects both signing and host header forwarding. However, this
// option shouldn't be used with
// :ref:`HCM host rewrite <envoy_v3_api_field_config.route.v3.RouteAction.host_rewrite_literal>` given that the
// value set here would be used for signing whereas the value set in the HCM would be used
// for host header forwarding which is not the desired outcome.
string host_rewrite = 3;
// Instead of buffering the request to calculate the payload hash, use the literal string ``UNSIGNED-PAYLOAD``
// to calculate the payload hash. Not all services support this option. See the `S3
// <https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html>`_ policy for details.
bool use_unsigned_payload = 4;
// A list of request header string matchers that will be excluded from signing. The excluded header can be matched by
// any patterns defined in the StringMatcher proto (e.g. exact string, prefix, regex, etc).
//
// Example:
// match_excluded_headers:
// - prefix: x-envoy
// - exact: foo
// - exact: bar
// When applied, all headers that start with "x-envoy" and headers "foo" and "bar" will not be signed.
repeated type.matcher.v3.StringMatcher match_excluded_headers = 5;
}