Skip to content

Add AWS Sigv4 authentication with credential providers and LocalStack integration tests#288

Merged
moshloop merged 3 commits intomasterfrom
copilot/add-aws-sigv4-auth-option
Feb 23, 2026
Merged

Add AWS Sigv4 authentication with credential providers and LocalStack integration tests#288
moshloop merged 3 commits intomasterfrom
copilot/add-aws-sigv4-auth-option

Conversation

Copy link
Copy Markdown

Copilot AI commented Feb 19, 2026
edited
Loading

Adds AWS Signature Version 4 authentication for http.Client to enable requests to AWS services (S3, API Gateway, Lambda, etc.) with comprehensive credential provider support and LocalStack integration testing.

Implementation

  • AuthConfig: Extended with AWS credentials (access key, secret key, session token, region, service, endpoint, credentials provider)
  • Client API: Added multiple authentication methods:
    • AWSAuth() - Static credentials
    • AWSSessionToken() - Temporary credentials support
    • AWSAuthWithCredentialsProvider() - Dynamic credential lookup from environment, config files, profiles, IAM roles
    • AWSEndpoint() - Custom endpoints for LocalStack and AWS-compatible services
  • Middleware: Created middlewares/aws_sigv4.go using github.com/aws/aws-sdk-go-v2/aws/signer/v4 for request signing with support for both static credentials and credential providers

Credential Provider Support

The implementation supports AWS credential lookup from:

  • Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION)
  • AWS config/credentials files (~/.aws/config, ~/.aws/credentials)
  • AWS profiles (named profiles from configuration)
  • IAM roles (EC2/ECS instance metadata)

Integration Testing

  • LocalStack Integration: Complete test suite using LocalStack for local AWS service testing
  • Test Method: Uses AWS STS GetCallerIdentity API for testing authentication (simple, stateless, no resource cleanup needed)
  • Test Coverage: Static credentials, environment variables, credential providers, session tokens, AWS SDK verification
  • Docker Compose: Included docker-compose.yml in http/testdata/ for easy LocalStack setup
  • Documentation: Comprehensive testing guide in http/testdata/README.md

Dependency Impact

  • Added: 14 packages (+13.5%)
    • Core: github.com/aws/aws-sdk-go-v2 v1.41.1, github.com/aws/smithy-go v1.24.0
    • Credential providers: aws-sdk-go-v2/config v1.32.9, aws-sdk-go-v2/credentials v1.19.9
    • Test dependencies: aws-sdk-go-v2/service/sts v1.41.6 and related packages
  • Total: 104 → 118 dependencies
  • Rationale: AWS SDK v2 config and credentials packages are required for credential provider support (environment variables, config files, profiles, IAM roles). The STS SDK is used only in integration tests for authentication verification.

Usage

// Static credentials
client := http.NewClient().
    AWSAuth(accessKeyID, secretAccessKey, "us-east-1", "s3")

// With session token (temporary credentials)
client := http.NewClient().
    AWSAuth(accessKeyID, secretAccessKey, "us-east-1", "s3").
    AWSSessionToken(sessionToken)

// Using credential providers (environment, config files, profiles, IAM roles)
cfg, _ := awsconfig.LoadDefaultConfig(ctx)
client := http.NewClient().
    AWSAuthWithCredentialsProvider(cfg.Credentials, "us-east-1", "s3")

// With AWS profile
cfg, _ := awsconfig.LoadDefaultConfig(ctx,
    awsconfig.WithSharedConfigProfile("myprofile"))
client := http.NewClient().
    AWSAuthWithCredentialsProvider(cfg.Credentials, "us-east-1", "s3")

// LocalStack (for testing)
client := http.NewClient().
    AWSAuth("test", "test", "us-east-1", "sts").
    AWSEndpoint("localhost:4566")

// Making requests
resp, err := client.R(ctx).Get("https://mybucket.s3.amazonaws.com/object")

Running Integration Tests

# Start LocalStack
docker-compose -f http/testdata/docker-compose.yml up -d

# Run integration tests
go test -v -run TestAWSAuthIntegrationWithLocalStack ./http
Original prompt

This section details on the original issue you should resolve

<issue_title>http.Client add AWS Sigv4 auth option</issue_title>
<issue_description>- Use minimal dependencies

  • Report increase in dependency count and size in the PR </issue_description>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Feb 19, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

Copilot AI changed the title [WIP] Add AWS Sigv4 auth option for http.Client Add AWS Sigv4 authentication to http.Client Feb 19, 2026
Copilot AI requested a review from moshloop February 19, 2026 12:36
@moshloop
Copy link
Copy Markdown
Member

moshloop commented Feb 19, 2026

@copilot Add integration test with with localstack + test various credential lookups + profiles / roles

Copy link
Copy Markdown
Author

Copilot AI commented Feb 19, 2026

@copilot Add integration test with with localstack + test various credential lookups + profiles / roles

Added comprehensive LocalStack integration tests and credential provider support in commit 1159005.

Features added:

  • ✅ LocalStack integration test with S3 operations (bucket creation, object put/get)
  • ✅ Credential provider support (environment variables, config files, profiles, IAM roles)
  • ✅ Tests for static credentials, environment variables, and credential providers
  • ✅ Session token support for temporary credentials
  • ✅ Custom endpoint support via AWSEndpoint() method
  • ✅ Docker Compose configuration for LocalStack
  • ✅ Test documentation in http/testdata/README.md

New methods:

  • AWSAuthWithCredentialsProvider(provider, region, service) - for dynamic credential lookup
  • AWSEndpoint(endpoint) - for custom endpoints (e.g., localhost:4566)

Running integration tests:

# Start LocalStack
docker-compose -f http/testdata/docker-compose.yml up -d

# Run tests
go test -v -run TestAWSAuthIntegrationWithLocalStack ./http

Note: Dependency count increased from 104 to 123 (+19) due to AWS config/credentials packages required for credential provider support.

Copilot AI changed the title Add AWS Sigv4 authentication to http.Client Add AWS Sigv4 authentication with credential providers and LocalStack integration tests Feb 19, 2026
@moshloop moshloop marked this pull request as ready for review February 20, 2026 06:42
@moshloop
Copy link
Copy Markdown
Member

moshloop commented Feb 20, 2026

@copilot fix lint errors and switch to testing with aws sts get-caller-identity

Copy link
Copy Markdown
Author

Copilot AI commented Feb 20, 2026

@copilot fix lint errors and switch to testing with aws sts get-caller-identity

Fixed lint errors and switched to STS GetCallerIdentity tests in commit b1fff44.

Changes made:

  • Lint errors fixed: Code is now gofmt compliant (no formatting issues)
  • Switched to STS GetCallerIdentity: Replaced S3 bucket/object tests with STS GetCallerIdentity API calls
  • Reduced dependencies: Removed S3 SDK dependency (118 total dependencies, down from 123)
  • Updated LocalStack config: docker-compose.yml now only starts STS service
  • Updated documentation: README reflects STS usage and benefits

Why STS GetCallerIdentity?

  • Simple, read-only operation that requires no setup
  • No resource creation/cleanup needed
  • Faster and more reliable than S3 tests
  • Tests pure authentication without side effects
  • Works with all credential types (static, env vars, profiles, IAM roles)

All tests passing including:

  • Unit tests for AWS auth configuration
  • Credential provider configuration tests
  • Integration tests (skip gracefully when LocalStack unavailable)

@moshloop
chore: vendor httpretty library and update imports
4cd5c4a 
- Fork henvic/httpretty into logger/httpretty to remove external dependency
- Update imports in logger/http.go and http/middlewares/logger.go
@moshloop moshloop force-pushed the copilot/add-aws-sigv4-auth-option branch from 1f446bc to d4a1180 Compare February 23, 2026 08:14
@moshloop
feat(http): add AWS SigV4 authentication support
e4f9b15 
- Add AWSSigv4 transport middleware for signing requests
- Add AWSAuthSigV4(), AWSService(), AWSEndpoint() builder methods
- Add Auth trace flag for auth middleware logging
- Add OAuth trace logging for token operations
- Improve nil safety in Request.Debug() and Response.Debug()
- Remove deps module and main.go (moved to cmd/hx)
- Add unit and integration tests for AWS SigV4
@moshloop
feat: add hx CLI tool with CI workflows
56d6ea1 
- Add cmd/hx: HTTP client CLI with rich output formatting
- Add hx-test.yml workflow for CI testing
- Add hx binary build and release jobs to release.yml
@moshloop moshloop force-pushed the copilot/add-aws-sigv4-auth-option branch from d4a1180 to 56d6ea1 Compare February 23, 2026 08:23
@moshloop moshloop merged commit 133f41e into master Feb 23, 2026
5 checks passed
@moshloop moshloop deleted the copilot/add-aws-sigv4-auth-option branch February 23, 2026 08:27
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Feb 23, 2026

🎉 This PR is included in version 1.45.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@moshloop moshloop Awaiting requested review from moshloop

Assignees

@moshloop moshloop

Copilot code review Copilot

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

http.Client add AWS Sigv4 auth option

3 participants

@CLAassistant @moshloop