awsv4signer is a fork of the aws-sdk-go
v4 signer that allows you to provide your own HMAC hasher.
The envisioned use-case for this is to allow you to store your AWS API keys in hardware (a TPM) that
supports HMAC operations.
aws-sdk-go
allows you to replace the request signer on a per service basis.
func listBucket(accessKeyID, secretAccessKey, bucket string) {
s := awsv4signer.Signer{
AccessKeyID: accessKeyID,
SecretAccessKeyHmacSha256: awsv4signer.StaticAccessKeyHmac(secretAccessKey),
}
sess := session.New(&aws.Config{
Region: region,
})
svc := s3.New(sess)
// remove the default v4 signing handler
svc.Handlers.Sign.RemoveByName(v4.SignRequestHandler.Name)
// add our signing handler
svc.Handlers.Sign.PushBack(s.SignSDKRequest)
resp, err := svc.ListObjects(&s3.ListObjectsInput{
Bucket: aws.String(bucket),
})
if err != nil {
panic(err)
}
for _, obj := range resp.Contents {
fmt.Printf("%s\n", *obj.Key)
}
}
The above example can be found in examples/s3ls.
For a working example of storing your secret access key in your TPM, see examples/tpmsigner.
Code in internal/awssign is derived from https://github.com/aws/aws-sdk-go. Copyright for that code can be found in NOTICE.txt.
This work was inspired by the demo @salrashid123's demo in https://github.com/salrashid123/aws_hmac.