Skip to content

v0.40.0

Choose a tag to compare

View all tags
@github-actions github-actions released this 23 May 04:55
· 44 commits to main since this release
v0.40.0
817e444
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

New: AWS Request Signing

The new aws_auth transform re-signs inbound AWS SigV4 requests with real credentials pulled from any registered secret source (env, aws_sm, aws_ssm, 1password, and others). Clients configure their AWS SDK with placeholder credentials and point it at the proxy. The proxy reads the region and service from the inbound credential scope and re-signs with the real ones, so a single config entry covers every AWS service the client talks to. Use allowed_regions and allowed_services to gate which scopes the entry will sign for.

- name: aws_auth
  config:
    access_key_id:     {type: env, var: AWS_ACCESS_KEY_ID}
    secret_access_key: {type: env, var: AWS_SECRET_ACCESS_KEY}
    # allowed_regions:  ["us-east-1", "eu-west-1"]          # optional; default allows any region
    # allowed_services: ["bedrock", "s3", "dynamodb"]       # optional; default allows any service
    # unsigned_payload: false
    # allow_chunked_body: false
    rules:
      - host: "*.amazonaws.com"

Requires MITM mode. Chunked request bodies are rejected (400) unless allow_chunked_body: true. For streaming uploads or cases where the body must not be buffered (S3 multipart, etc.), set unsigned_payload: true.

Changelog

  • 817e444 feat(transform): add aws_auth for signing AWS requests (#137)
  • e0da83f build(deps): bump goreleaser/goreleaser-action from 7.2.1 to 7.2.2 (#134)
  • 45991aa build(deps): bump google.golang.org/grpc from 1.81.0 to 1.81.1 (#135)
Assets 8
Loading