-spec sign_v4(AccessKeyID, SecretAccessKey, Region, Service, DateTime, Method, URL, Headers, Body,
        Options) ->
           FinalHeaders
           when
               AccessKeyID :: binary(),
               SecretAccessKey :: binary(),
               Region :: binary(),
               Service :: binary(),
               DateTime :: calendar:datetime(),
               Method :: binary(),
               URL :: binary(),
               Headers :: headers(),
               Body :: binary(),
               Options :: [Option],
               Option :: {uri_encode_path, boolean()} | {body_digest, binary()},
               FinalHeaders :: headers().

Implements the Signature Version 4 (SigV4) algorithm.

This function takes AWS client credentials and request details, based on which it computes the signature and returns headers extended with the authorization entries.

DateTime is a datetime tuple used as the request date. You most likely want to set it to the value of calendar:universal_time/0 when making the request.

URL must be valid, with all components properly escaped. For example, "https://example.com/path%20to" is valid, whereas "https://example.com/path to" is not.

It is essential that the provided request details are final and the returned headers are used to make the request. All custom headers need to be assembled before the signature is calculated.

The signature is computed by normalizing request details into a well defined format and combining it with the credentials using a number of cryptographic functions. Upon receiving a request, the server calculates the signature using the same algorithm and compares it with the value received in headers. For more details check out the AWS documentation.

The following options are supported:

uri_encode_path

When true, the request URI path is URI-encoded during request canonicalization, which is required for every service except S3. Note that the given URL should already be properly encoded, so this results in each segment being URI-encoded twice, as expected by AWS. Defaults to true.

body_digest

Optional SHA256 digest of the request body. This option can be used to provide a fixed digest value, such as "UNSIGNED-PAYLOAD", when sending requests without signing the body.

-spec sign_v4_event(SecretAccessKey, Region, Service, DateTime, PriorSignature, HeaderString, Body) ->
                 {Headers, Signature}
                 when
                     SecretAccessKey :: binary(),
                     Region :: binary(),
                     Service :: binary(),
                     DateTime :: calendar:datetime(),
                     PriorSignature :: binary(),
                     HeaderString :: binary(),
                     Body :: binary(),
                     Headers :: [{binary(), binary(), atom()}],
                     Signature :: binary().

Signs an AWS Event Stream message and returns the headers and signature used for next event signing.

:chunk-signature

computed signature of the event, binary string, bytes type

:date

millisecond since epoch, timestamp type

PriorSignature for the first message is the base16 encoded signv4 of the request used to open a connection with the target service.

-spec sign_v4_query_params(AccessKeyID, SecretAccessKey, Region, Service, DateTime, Method, URL,
                     Options) ->
                        FinalURL
                        when
                            AccessKeyID :: binary(),
                            SecretAccessKey :: binary(),
                            Region :: binary(),
                            Service :: binary(),
                            DateTime :: calendar:datetime(),
                            Method :: binary(),
                            URL :: binary(),
                            Options :: [Option],
                            Option ::
                                {uri_encode_path, boolean()} |
                                {session_token, binary()} |
                                {ttl, non_neg_integer()} |
                                {body, binary()} |
                                {body_digest, binary()} |
                                {tags, binary()},
                            FinalURL :: binary().

Implements the Signature Version 4 (SigV4) algorithm for query parameters.

This function takes AWS client credentials and request details, based on which it computes the signature and returns the URL extended with the signature entries. Note that anchors are ignored in the resulting URL.

DateTime is a datetime tuple used as the request date. You most likely want to set it to the value of calendar:universal_time/0 when making the request.

URL must be valid, with all components properly escaped. For example, "https://example.com/path%20to" is valid, whereas "https://example.com/path to" is not.

It is essential that the provided request details are final and the returned query params are used to make the request with the provided URL.

The signature is computed by normalizing request details into a well defined format and combining it with the credentials using a number of cryptographic functions. Upon receiving a request, the server calculates the signature using the same algorithm and compares it with the value received in headers. For more details check out the AWS documentation.

The following options are supported:

ttl

Time-to-live value that tells how long this URL is valid in seconds. Defaults to 86400, which means one day.

uri_encode_path

When true, the request URI path is URI-encoded during request canonicalization, which is required for every service except S3. Note that the given URL should already be properly encoded, so this results in each segment being URI-encoded twice, as expected by AWS. Defaults to true.

session_token

Optional credential parameter if using credentials sourced from the STS service.

body

Request body to compute SHA256 digest for. Defaults to an empty binary. Note that body_digest always takes precedence when set.

body_digest

Optional SHA256 digest of the request body. This option can be used to provide a fixed digest value, such as "UNSIGNED-PAYLOAD", when sending requests without signing the body, which is expected for S3.

tags

Optional tagging of the object when generating a pre-signed URL. The value of tags is a binary() in the format, for example: <<"key1=value1&key2=value2">>. The actual request to put or get the object must use the exact tags value to ensure the signature is calculated correctly.

-spec sign_v4a(binary(),
         binary(),
         binary(),
         [binary()],
         binary(),
         binary(),
         binary(),
         headers(),
         binary(),
         map()) ->
            {ok, headers()} | {error, any()}.

Implements the Asymmetric Signature Version 4 (SigV4a) algorithm.

This function takes AWS client credentials and request details, based on which it computes the signature and returns headers extended with the authorization entries.

URL must be valid, with all components properly escaped. For example, "https://example.com/path%20to" is valid, whereas "https://example.com/path to" is not.

It is essential that the provided request details are final and the returned headers are used to make the request. All custom headers need to be assembled before the signature is calculated.

The following options are supported:

add_payload_hash_header

When true adds the X-Amz-Content-Sha256 header to signed requests. Amazon S3 is an example of a service that requires this setting. Defaults to false.

disable_implicit_payload_hashing

When true use the "UNSIGNED-PAYLOAD" sentinel instead of computing SHA256 digest of the payload. Defaults to false.