Tackle signing protocols about aws_client HOT 4 OPEN

Hi @Schwusch,

I'm also having the same issue as @littlekid440

When signing S3's PutObject operation via aws_s3_api, I'm getting:

AccessDeniedThere were headers present in the request which were not signed
x-amz-security-token

It seems that S3 expects 'X-Amz-Security-Token' header to be signed in and here you are not signing it.

Do you have any ETA on when this will be addressed?

As a workaround, I'm doing the following and it is working fine:

         final _s.RestXmlProtocol protocol = _s.RestXmlProtocol(
          client: _client,
          service: 's3',
          region: _region,
          credentials: AwsClientCredentials(
              accessKey: credentials.accessKey,
              secretKey: credentials.secretKey,
              sessionToken: credentials.sessionToken),
          endpointUrl: _domain,
        );

        final $result = await protocol.send(
          method: 'PUT',
          requestUri:
              '/${Uri.encodeComponent(_bucketName)}/${Uri.encodeComponent(fileName)}',
          headers: {'x-amz-security-token': credentials.sessionToken},
          payload: body,
          exceptionFnMap: _exceptionFns,
        );
        PutObjectOutput output =
            PutObjectOutput.fromXml($result.body, headers: $result.headers);

Thanks.

from aws_client.

S3 seems to be a little bit special and is tracked in #238

from aws_client.

As mentioned in #238, I think I have a way forward with this.
The trick is to expose signAws4HmacSha256 and other signing functions in the shared_aws_api, and let the protocol class send method take an optional signing function as an argument. The function signature would be something like:

typedef RequestSigner = void Function({
  required Request rq,
  required ServiceMetadata service,
  required String region,
  required AwsClientCredentials credentials,
});

E.g. RestXmlProtocol.send() method signature would then be:

Future<RestXmlResponse> send({
    required String method,
    required String requestUri,
    required Map<String, AwsExceptionFn> exceptionFnMap,
    bool signed = true,
    Map<String, List<String>>? queryParams,
    Map<String, String>? headers,
    dynamic payload,
    String? resultWrapper,
    RequestSigner? requestSigner, // take signer as an argument
  }) async {}

Later, the signing could simply be:

if (requestSigner != null) {
  requestSigner(
    rq: rq,
    service: _endpoint.service,
    region: _endpoint.signingRegion,
    credentials: credentials,
  );
} else {
  signAws4HmacSha256(
    rq: rq,
    service: _endpoint.service,
    region: _endpoint.signingRegion,
    credentials: credentials,
  );
}

That way we only have to supply the send() method a signing function when it's not supposed to be V4 signing.
During service code generation, it's possible to then decide what signing function (if any!) the operation needs, and provide it.

from aws_client.

Would generating presigned URLs also fall into this work?

E.g. the generate_presigned_url/generatePresignedUrl methods in the Java/Python SDKs.

Edit: For reference it appears aws_signature_v4 has a Dart implementation of it in AWSSigV4Signer.presign().

from aws_client.