aws_gleam_runtime - v0.1.0

aws/internal/sigv4

Types

CanonicalParts

</> 
pub type CanonicalParts {
  CanonicalParts(
    canonical_request: String,
    signed_headers: String,
    payload_hash: String,
    prepared_headers: List(http_request.Header),
  )
}

Constructors 

  • CanonicalParts(
  canonical_request: String,
  signed_headers: String,
  payload_hash: String,
  prepared_headers: List(http_request.Header),
)

SigningCredentials

</>

Minimal credentials shape the signer needs. Lives here rather than aws/credentials so callers in providers/* (e.g. the STS AssumeRole provider that signs its own request) can construct one without dragging the full Credentials type — which would form a dependency cycle with the provider chain that consumes signed requests.

pub type SigningCredentials {
  SigningCredentials(
    access_key_id: String,
    secret_access_key: String,
    session_token: option.Option(String),
  )
}

Constructors 

  • SigningCredentials(
  access_key_id: String,
  secret_access_key: String,
  session_token: option.Option(String),
)

SigningOptions

</> 
pub type SigningOptions {
  SigningOptions(
    timestamp: String,
    region: String,
    service: String,
    normalize_path: Bool,
    sign_body: Bool,
    omit_session_token: Bool,
  )
}

Constructors 

  • SigningOptions(
  timestamp: String,
  region: String,
  service: String,
  normalize_path: Bool,
  sign_body: Bool,
  omit_session_token: Bool,
)

Values

authorization_header

</> 
pub fn authorization_header(
  creds: SigningCredentials,
  timestamp: String,
  region: String,
  service: String,
  signed_headers: String,
  signature: String,
) -> String

canonical_request

</> 
pub fn canonical_request(
  req: http_request.HttpRequest,
  creds: SigningCredentials,
  opts: SigningOptions,
) -> CanonicalParts

make_credentials

</> 
pub fn make_credentials(
  access_key_id access_key_id: String,
  secret_access_key secret_access_key: String,
  session_token session_token: option.Option(String),
) -> SigningCredentials

Convenience constructor mirroring the most common case: static keys with no session token.

presigned_url

</> 
pub fn presigned_url(
  req: http_request.HttpRequest,
  creds: SigningCredentials,
  opts: SigningOptions,
  expires_seconds: Int,
  payload_hash payload_hash: option.Option(String),
) -> String

Build a SigV4 presigned URL — the “query-string auth” variant callers reach for to share short-lived links to S3 objects, etc. The auth components (X-Amz-Algorithm, X-Amz-Credential, X-Amz-Date, X-Amz-Expires, X-Amz-SignedHeaders, X-Amz-Security-Token when present, and X-Amz-Signature) land in the URL query string rather than headers. Only the Host header is signed.

payload_hash controls the canonical-request payload line:

  • Some("UNSIGNED-PAYLOAD") — the S3 convention for shared download URLs (the caller doesn’t get to choose the body).
  • Some(hex) — caller-provided body hash; matches a known request body that will be sent against the signed URL.
  • None — the standard SigV4 path, honouring opts.sign_body: Truesha256(req.body), Falsesha256("") (the hash of the empty body). The v4 test suite uses this path.

expires_seconds is bounded by SigV4 to [1, 604800] (1 second to 7 days). The function doesn’t enforce the bound; AWS rejects out-of-range values at the server side.

Returns the full URL (https://<host><path>?<signed-query>) ready to hand to a caller. Existing req.query entries are preserved and merged with the auth params.

sign

</> 
pub fn sign(
  req: http_request.HttpRequest,
  creds: SigningCredentials,
  opts: SigningOptions,
) -> http_request.HttpRequest

signature

</> 
pub fn signature(key: BitArray, sts: String) -> String

signing_key

</> 
pub fn signing_key(
  secret: String,
  date: String,
  region: String,
  service: String,
) -> BitArray

string_to_sign

</> 
pub fn string_to_sign(
  canonical: String,
  timestamp: String,
  region: String,
  service: String,
) -> String
Search Document