签名版本 4 经过身份验证的请求示例 - Amazon VPC Lattice

本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。

签名版本 4 经过身份验证的请求示例

VPC Lattice 使用签名版本 4 (Sigv4) 或签名版本 4A (Sigv4a) 进行客户端身份验证。有关更多信息,请参阅 I AM 用户指南中的签署 AWS API 请求

注意事项
  • VPC Lattice 会尝试对任何使用 Sigv4 或 Sigv4A 签名的请求进行身份验证。未经验证,请求失败。

  • VPC Lattice 不支持有效负载签名。必须发送 x-amz-content-sha256 标头,其值设置为 "UNSIGNED-PAYLOAD"

Python

此示例通过安全连接将已签名的请求发送到在网络中注册的服务。如果您希望使用请求botocore 包可以简化验证过程,但并非严格要求。有关更多信息,请参阅 Boto3 文档中的凭证

要安装botocoreawscrt软件包,请使用以下命令。有关更多信息,请参阅 AWS CRT Python

pip install botocore awscrt

在以下示例中,使用您自己的值替换占位符值。

SIGv4
from botocore import crt import requests from botocore.awsrequest import AWSRequest from botocore.credentials import Credentials import botocore.session if __name__ == '__main__': session = botocore.session.Session() signer = crt.auth.CrtS3SigV4Auth(session.get_credentials(), 'vpc-lattice-svcs', 'us-west-2') endpoint = 'https://user-02222f67d3a427111.1234abc.vpc-lattice-svcs.us-west-2.on.aws/create' data = "some-data-here" headers = {'Content-Type': 'application/json'} request = AWSRequest(method='POST', url=endpoint, data=data, headers=headers) request.context["payload_signing_enabled"] = False # payload signing is not supported signer.add_auth(request) prepped = request.prepare() response = requests.post(prepped.url, headers=prepped.headers, data=data)
SIGv4A
from botocore import crt import requests from botocore.awsrequest import AWSRequest from botocore.credentials import Credentials import botocore.session if __name__ == '__main__': session = botocore.session.Session() signer = crt.auth.CrtS3SigV4AsymAuth(session.get_credentials(), 'vpc-lattice-svcs', 'us-west-2') endpoint = 'https://user-02222f67d3a427111.1234abc.vpc-lattice-svcs.us-west-2.on.aws/create' data = "some-data-here" headers = {'Content-Type': 'application/json'} request = AWSRequest(method='POST', url=endpoint, data=data, headers=headers) request.context["payload_signing_enabled"] = False # payload signing is not supported signer.add_auth(request) prepped = request.prepare() response = requests.post(prepped.url, headers=prepped.headers, data=data)

带拦截器的 Java

本示例使用 Amazon 请求签名拦截程序 处理请求签名。

import com.amazonaws.http.AwsRequestSigningApacheInterceptor; import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider; import software.amazon.awssdk.auth.signer.Aws4UnsignedPayloadSigner; import software.amazon.awssdk.regions.Region; import java.nio.charset.StandardCharsets; import org.apache.http.client.methods.HttpPost; import org.apache.http.entity.ByteArrayEntity; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClients; public class App { public static void main(String[] args) { var interceptor = new AwsRequestSigningApacheInterceptor( "vpc-lattice-svcs", Aws4UnsignedPayloadSigner.create(), // requires HTTPS DefaultCredentialsProvider.create(), Region.US_WEST_2.id() ); CloseableHttpClient client = HttpClients.custom() .addInterceptorLast(interceptor) .build(); var httpPost = new HttpPost("https://user-02222f67d3a427111.1234abc.vpc-lattice-svcs.us-west-2.on.aws/create"); httpPost.addHeader("content-type", "application/json"); var body = """ { "name": "Jane Doe", "job": "Engineer" } """; httpPost.setEntity(new ByteArrayEntity(body.getBytes(StandardCharsets.UTF_8))); try (var response = client.execute(httpPost)) { System.out.println(new String(response.getEntity().getContent().readAllBytes())); } catch (Exception e) { throw new RuntimeException(e); } } }

不带拦截器的 Java

本示例展示了如何使用自定义拦截器执行请求签名。本示例使用来自 AWS SDK for Java 2.x 的默认凭证提供商类,为您获取正确的凭证。如果您希望使用特定的凭证提供商,可以从 AWS SDK for Java 2.x 中选择一个。仅 AWS SDK for Java 允许通过 HTTPS 进行未签名的有效负载。但您可以扩展签名程序,以支持通过 HTTP 的未签名有效负载。

import java.io.ByteArrayInputStream; import java.io.IOException; import java.nio.charset.StandardCharsets; import java.util.HashMap; import java.util.List; import java.util.Map; import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider; import software.amazon.awssdk.auth.signer.Aws4UnsignedPayloadSigner; import software.amazon.awssdk.auth.signer.AwsSignerExecutionAttribute; import software.amazon.awssdk.core.interceptor.ExecutionAttributes; import software.amazon.awssdk.http.SdkHttpFullRequest; import software.amazon.awssdk.http.SdkHttpMethod; import software.amazon.awssdk.regions.Region; import org.apache.http.client.methods.HttpPost; import org.apache.http.entity.ByteArrayEntity; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClients; public class App { public static void main(String[] args) { var signer = Aws4UnsignedPayloadSigner.create(); // requires HTTPS Map<String, String> headers = new HashMap<>(); headers.put("content-type", "application/json"); var body = """ { "name": "Jane Doe", "job": "Engineer" } """; String endpoint = "https://user-02222f67d3a427111.1234abc.vpc-lattice-svcs.us-west-2.on.aws/create"; var sdkRequest = SdkHttpFullRequest.builder().method(SdkHttpMethod.POST); sdkRequest.host("user-02222f67d3a427111.1234abc.vpc-lattice-svcs.us-west-2.on.aws"); sdkRequest.protocol("HTTPS"); sdkRequest.encodedPath("/create"); sdkRequest.contentStreamProvider(() -> new ByteArrayInputStream(body.getBytes(StandardCharsets.UTF_8))); for (Map.Entry<String, String> header : headers.entrySet()) { sdkRequest.putHeader(header.getKey(), header.getValue()); } ExecutionAttributes attributes = ExecutionAttributes.builder() .put(AwsSignerExecutionAttribute.AWS_CREDENTIALS, DefaultCredentialsProvider.create().resolveCredentials()) .put(AwsSignerExecutionAttribute.SERVICE_SIGNING_NAME, "vpc-lattice-svcs") .put(AwsSignerExecutionAttribute.SIGNING_REGION, Region.US_WEST_2) .build(); SdkHttpFullRequest prepRequest = signer.sign(sdkRequest.build(), attributes); HttpPost httpPost = new HttpPost(endpoint); for (Map.Entry<String, List<String>> header : prepRequest.headers().entrySet()) { if (header.getKey().equalsIgnoreCase("host")) { continue; } for(var value : header.getValue()) { httpPost.addHeader(header.getKey(), value); } } CloseableHttpClient client = HttpClients.custom().build(); httpPost.setEntity(new ByteArrayEntity(body.getBytes(StandardCharsets.UTF_8))); try (var response = client.execute(httpPost)){ System.out.println(new String(response.getEntity().getContent().readAllBytes())); } catch (IOException e) { throw new RuntimeException(e); } } }

Node.js

本例使用 aws-crt NodeJS 绑定来发送使用 HTTPS 的签名请求。

要安装 aws-crt 包,请使用以下命令。

npm -i aws-crt

如果存在 AWS_REGION 环境变量,本例将使用 AWS_REGION 指定的区域。默认区域为 us-east-1

SIGv4
const https = require('https') const crt = require('aws-crt') const { HttpRequest } = require('aws-crt/dist/native/http') function sigV4Sign(method, endpoint, service, algorithm) { const host = new URL(endpoint).host const request = new HttpRequest(method, endpoint) request.headers.add('host', host) // crt.io.enable_logging(crt.io.LogLevel.INFO) const config = { service: service, region: process.env.AWS_REGION ? process.env.AWS_REGION : 'us-east-1', algorithm: algorithm, signature_type: crt.auth.AwsSignatureType.HttpRequestViaHeaders, signed_body_header: crt.auth.AwsSignedBodyHeaderType.XAmzContentSha256, signed_body_value: crt.auth.AwsSignedBodyValue.UnsignedPayload, provider: crt.auth.AwsCredentialsProvider.newDefault() } return crt.auth.aws_sign_request(request, config) } if (process.argv.length === 2) { console.error(process.argv[1] + ' <url>') process.exit(1) } const algorithm = crt.auth.AwsSigningAlgorithm.SigV4; sigV4Sign('GET', process.argv[2], 'vpc-lattice-svcs').then( httpResponse => { var headers = {} for (const sigv4header of httpResponse.headers) { headers[sigv4header[0]] = sigv4header[1] } const options = { hostname: new URL(process.argv[2]).host, path: '/', method: 'GET', headers: headers } req = https.request(options, res => { console.log('statusCode:', res.statusCode) console.log('headers:', res.headers) res.on('data', d => { process.stdout.write(d) }) }) req.on('error', err => { console.log('Error: ' + err) }) req.end() } )
SIGv4A
const https = require('https') const crt = require('aws-crt') const { HttpRequest } = require('aws-crt/dist/native/http') function sigV4Sign(method, endpoint, service, algorithm) { const host = new URL(endpoint).host const request = new HttpRequest(method, endpoint) request.headers.add('host', host) // crt.io.enable_logging(crt.io.LogLevel.INFO) const config = { service: service, region: process.env.AWS_REGION ? process.env.AWS_REGION : 'us-east-1', algorithm: algorithm, signature_type: crt.auth.AwsSignatureType.HttpRequestViaHeaders, signed_body_header: crt.auth.AwsSignedBodyHeaderType.XAmzContentSha256, signed_body_value: crt.auth.AwsSignedBodyValue.UnsignedPayload, provider: crt.auth.AwsCredentialsProvider.newDefault() } return crt.auth.aws_sign_request(request, config) } if (process.argv.length === 2) { console.error(process.argv[1] + ' <url>') process.exit(1) } const algorithm = crt.auth.AwsSigningAlgorithm.SigV4Asymmetric; sigV4Sign('GET', process.argv[2], 'vpc-lattice-svcs').then( httpResponse => { var headers = {} for (const sigv4header of httpResponse.headers) { headers[sigv4header[0]] = sigv4header[1] } const options = { hostname: new URL(process.argv[2]).host, path: '/', method: 'GET', headers: headers } req = https.request(options, res => { console.log('statusCode:', res.statusCode) console.log('headers:', res.headers) res.on('data', d => { process.stdout.write(d) }) }) req.on('error', err => { console.log('Error: ' + err) }) req.end() } )