Skip to content

Commit 23d0e31

Browse files
committed
add post for signing curl requests
1 parent a72824c commit 23d0e31

File tree

1 file changed

+94
-0
lines changed

1 file changed

+94
-0
lines changed

_posts/2025-02-14-AWSSigning_Curl.md

+94
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,94 @@
1+
---
2+
layout: post
3+
title: Signing AWS Requests with Curl
4+
# date element overrides date in title format.
5+
tag:
6+
- AWS
7+
- curl
8+
---
9+
10+
All requests to AWS APIs must be signed using [AWS Signature Version 4
11+
(SigV4)][1]. While the [AWS SDK libraries][2] and the [AWS CLI][3] will handle
12+
this for you, external HTTP client libraries are on their own to support the
13+
[SigV4 signing process][5].
14+
15+
This matters if you have built an application using API Gateway and IAM
16+
authorization. Client requests, whether it be from a mobile application or
17+
testing script, need to be signed. Fortunately, the open-source community has
18+
contributed support for SigV4 in many popular HTTP libraries (e.g., [Python's
19+
Requests][3], [Dart's Dio][4]). Notably, the command line tool, [`curl`][6],
20+
has a native support for AWS signing.
21+
22+
The curl incantation is tricky enough that I have to google and fuss about it a
23+
bit to get it right. Here are some common ways of signing your requests with
24+
curl.
25+
26+
If you are still using long-term access keys this will do:
27+
```bash
28+
curl \
29+
--request POST \
30+
--user "$AWS_ACCESS_KEY:$AWS_SECRET_ACCESS_KEY" \
31+
--aws-sigv4 "aws:amz:us-east-1:execute-api" \
32+
--header "Content-Type: application/json" \
33+
"$URL"
34+
```
35+
36+
Of course, that approach is [no longer recommended][8], and you should use
37+
short-lived credentials. With short-lived credentials you'll have to include
38+
session information with you temporary access and secret key.
39+
```bash
40+
curl \
41+
--request POST \
42+
--user "$AWS_ACCESS_KEY:$AWS_SECRET_ACCESS_KEY" \
43+
--aws-sigv4 "aws:amz:us-east-1:execute-api" \
44+
--header "x-amz-security-token: $AWS_SESSION_TOKEN" \
45+
--header "Content-Type: application/json" \
46+
"$URL"
47+
```
48+
49+
`AWS_ACCESS_KEY`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN` are probably
50+
not in your environment. If you have programatic access (via the CLI) to the
51+
AWS account the API is in, and your permissions are sufficient, you can use the
52+
values in cached by the AWS CLI cache after a login.
53+
54+
```bash
55+
ls -lt ~/.aws/cli/cache
56+
```
57+
58+
You will likely want the most recent file there.
59+
60+
Better still is to use the CLI itself to get at those values.
61+
62+
```bash
63+
aws configure export-credentials --format process
64+
```
65+
66+
You can parse the json output of that command and automate the steps needed to
67+
run your curl. Note, the aws CLI won't respect the `--query` option for the
68+
`export-credentials` command - I presume to avoid piping sensitive data to
69+
external processes - so you will have to parse the output with a tool you
70+
trust. I use `jq` in the command below.
71+
72+
73+
```bash
74+
curl
75+
--request POST \
76+
--aws-sigv4 "aws:amz:us-east-1:execute-api" \
77+
--user "$(aws configure export-credentials --format process | jq -r .AccessKeyId):$(aws configure export-credentials --format process | jq -r .SecretAccessKey)" \
78+
--header "x-amz-security-token: $(aws configure export-credentials --format process | jq -r .SessionToken)" \
79+
--header "Content-Type: application/json" \
80+
"$URL"
81+
```
82+
83+
And there you have it. Not the fastest but I think [it looks pretty good][9].
84+
85+
86+
[1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html
87+
[2]: https://aws.amazon.com/developer/
88+
[3]: https://github.com/DavidMuller/aws-requests-auth
89+
[4]: https://github.com/nicholasphair/aws_signature_v4_interceptor
90+
[5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv-create-signed-request.html
91+
[6]: https://github.com/curl/curl
92+
[7]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html
93+
[8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
94+
[9]: https://youtu.be/mGP-CvjqmXA?si=O21Tp14A-5iduuZm

0 commit comments

Comments
 (0)