powertools-lambda-python feat(auth): SigV4 Signing for calls that are taking IAM Auth

Issue number: https://github.com/aws-powertools/aws-lambda-powertools-python/issues/2493

Summary

Changes

Adding the ability to create authentication using SigV4.

User experience

Please share what the user experience looks like before and after this change

Checklist

If your change doesn't seem to apply, please leave them unchecked.

[ ] Meet tenets criteria
[ ] I have performed a self-review of this change
[ ] Changes have been tested
[ ] Changes are documented
[ ] PR title follows conventional commit semantics

Is this a breaking change?

RFC issue number:

Checklist:

[ ] Migration process documented
[ ] Implement warnings (if it can live side by side)

Acknowledgment

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Disclaimer: We value your time and bandwidth. As such, any pull requests created on non-triaged issues might not be successful.

Jun 11 '23 20:06 stephenbawks

Work still progressing on this, but interested in early feedback.

Jun 11 '23 20:06 stephenbawks

Hi @stephenbawks, thank you so much for your effort in creating this!

I wanted to let you know that in order to add a new feature, we have a specific process that requires opening a feature request (possibly with a Request for Comments or RFC)[https://github.com/awslabs/aws-lambda-powertools-python/issues/new?assignees=&labels=RFC%2Ctriage&projects=&template=rfc.yml&title=RFC%3A+TITLE] before we consider implementing a new utility.

Additionally, to ensure better visibility, it would be really helpful if you could answer the following questions:

1/ What are the differences or gaps between SigV4Auth and the well-tested utility available at https://github.com/davidmuller/aws-requests-auth? 2/ Can we find this utility in the Lambda Runtime's boto version (1.29.90)? 3/ Is it possible to make the utility name more general, allowing for future growth? For example, JWT is another popular requirement.

I kindly request you to open a Feature Request/RFC with these answers, so that we can gather feedback on the proposed utility! Once again, I sincerely appreciate your valuable time :)

Jun 13 '23 14:06 rubenfonseca

Folks - what's the latest here?

Jul 07 '23 04:07 heitorlessa

Hi @stephenbawks, thank you so much for your effort in creating this!

I wanted to let you know that in order to add a new feature, we have a specific process that requires opening a feature request (possibly with a Request for Comments or RFC)[https://github.com/awslabs/aws-lambda-powertools-python/issues/new?assignees=&labels=RFC%2Ctriage&projects=&template=rfc.yml&title=RFC%3A+TITLE] before we consider implementing a new utility.

Additionally, to ensure better visibility, it would be really helpful if you could answer the following questions:

1/ What are the differences or gaps between SigV4Auth and the well-tested utility available at https://github.com/davidmuller/aws-requests-auth? 2/ Can we find this utility in the Lambda Runtime's boto version (1.29.90)? 3/ Is it possible to make the utility name more general, allowing for future growth? For example, JWT is another popular requirement.

I kindly request you to open a Feature Request/RFC with these answers, so that we can gather feedback on the proposed utility! Once again, I sincerely appreciate your valuable time :)

Sorry for the delay but I have gone ahead and created the RFC.

https://github.com/aws-powertools/powertools-lambda-python/issues/2713

Jul 07 '23 11:07 stephenbawks

Thanks a lot @stephenbawks !! Gonna make comments in the RFC shortly

Jul 07 '23 14:07 heitorlessa

Quick heads up it's missing details and CI checks still. I'll put this for August

Aug 01 '23 07:08 heitorlessa

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities
0 Security Hotspots
15 Code Smells

No Coverage information
0.5% Duplication

Aug 18 '23 12:08 sonarqubecloud[bot]

@leandrodamascena @heitorlessa @rubenfonseca

This is not feature complete yet, but I wanted some feedback. I added some stuff for JWT auth (not 100% done yet) but I wanted to get thoughts and opinions on the basic structure.

The trick with JWT Auth is that there are a lot of different providers out there and there are slight differences between them in terms of what they want or need to do JWT Client Credentials for example. I added some of the major players as an Enum but I am looking to see what you all think if that is a good idea or not. The basic structure is there but like I said, needs some polishing and error handling but wanted to see if I should proceed down this route or change direction.

Aug 18 '23 12:08 stephenbawks

We are currently prioritizing RFC #3040 and after completing this work we return to this PR.

Sep 04 '23 22:09 leandrodamascena

@heitorlessa / @stephenbawks Coming back to this PR, is there anything else needed before we review and merge?

Feb 07 '24 09:02 sthulb

@heitorlessa / @stephenbawks Coming back to this PR, is there anything else needed before we review and merge?

Leandro shared that docs and UX need a final pass -- I'm scheduling this for the next iteration cycle starting on Monday (Feb 12th-22nd) to make the cut for that release cycle.

Feb 09 '24 12:02 heitorlessa

Quality Gate passed

Issues
4 New issues

Measures
0 Security Hotspots
No data about Coverage
1.5% Duplication on New Code

See analysis details on SonarCloud

Feb 09 '24 12:02 sonarqubecloud[bot]

@heitorlessa @sthulb

Let's do it. I have been waiting to complete my trifecta of PRs so that I can do more with VPC Lattice so I will do whatever we need here. I saw your comment about a RFC so I will get that going.

I did create an RFC a while back but I am assuming it needs to be updated.

https://github.com/aws-powertools/powertools-lambda-python/issues/2713

Feb 09 '24 13:02 stephenbawks

@stephenbawks Thanks for commenting. Initially, I'll say this is missing tests for sure (unit/func/e2e) before we can review this properly.

Feb 09 '24 16:02 sthulb

After a deeper look into the PR & RFC, we're missing a few things like docs and tests.

I'm wondering if we care about the JWT side of this PR – perhaps this should be split into a different RFC so we can decide it's something we need. There's definitely a need for SigV4(a) signing util since that would be a nice convenience utility.

Feb 09 '24 16:02 sthulb

Quality Gate passed

Issues
4 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
1.5% Duplication on New Code

See analysis details on SonarCloud

Mar 28 '24 18:03 sonarqubecloud[bot]

After a deeper look into the PR & RFC, we're missing a few things like docs and tests.

I'm wondering if we care about the JWT side of this PR – perhaps this should be split into a different RFC so we can decide it's something we need. There's definitely a need for SigV4(a) signing util since that would be a nice convenience utility.

I am getting back into the swing of things here. I would like to get this PR over the finish line, its been a while in the making.

I think we could certainly split it into two different PRs. Just wondering if there is any more thought on that from anyone else. I feel like most of the work is done for adding JWT/client credentials but I am interested in feedback.

@leandrodamascena

Apr 11 '24 11:04 stephenbawks

Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
1.8% Duplication on New Code

See analysis details on SonarCloud

May 01 '24 11:05 sonarqubecloud[bot]

@rubenfonseca @leandrodamascena Bumping this to see if there might be some more feedback and or improvements/suggestions.

Sep 22 '24 13:09 stephenbawks

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

Sep 22 '24 13:09 sonarqubecloud[bot]