Add ability to sign requests for all AWS services

This add the ability to utilize sigv4 signing for all AWS services not just "aps". When the newly introduced property "service" is not set in config it will default to "aps".
prometheus · May 17, 2022 · 136f390 · 136f390
1 parent 627089d
commit 136f390
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 7 deletions.
diff --git a/sigv4/sigv4.go b/sigv4/sigv4.go
@@ -36,9 +36,10 @@ var sigv4HeaderDenylist = []string{
 }
 
 type sigV4RoundTripper struct {
-	region string
-	next   http.RoundTripper
-	pool   sync.Pool
+	region  string
+	next    http.RoundTripper
+	pool    sync.Pool
+	service string
 
 	signer *signer.Signer
 }
@@ -81,11 +82,15 @@ func NewSigV4RoundTripper(cfg *SigV4Config, next http.RoundTripper) (http.RoundT
 	if cfg.RoleARN != "" {
 		signerCreds = stscreds.NewCredentials(sess, cfg.RoleARN)
 	}
+	if cfg.Service == "" {
+		cfg.Service = "aps"
+	}
 
 	rt := &sigV4RoundTripper{
-		region: cfg.Region,
-		next:   next,
-		signer: signer.NewSigner(signerCreds),
+		region:  cfg.Region,
+		next:    next,
+		signer:  signer.NewSigner(signerCreds),
+		service: cfg.Service,
 	}
 	rt.pool.New = rt.newBuf
 	return rt, nil
@@ -126,7 +131,7 @@ func (rt *sigV4RoundTripper) RoundTrip(req *http.Request) (*http.Response, error
 		signReq.Header.Del(header)
 	}
 
-	headers, err := rt.signer.Sign(signReq, seeker, "aps", rt.region, time.Now().UTC())
+	headers, err := rt.signer.Sign(signReq, seeker, rt.service, rt.region, time.Now().UTC())
 	if err != nil {
 		return nil, fmt.Errorf("failed to sign request: %w", err)
 	}

diff --git a/sigv4/sigv4_config.go b/sigv4/sigv4_config.go
@@ -28,6 +28,7 @@ type SigV4Config struct {
 	SecretKey config.Secret `yaml:"secret_key,omitempty"`
 	Profile   string        `yaml:"profile,omitempty"`
 	RoleARN   string        `yaml:"role_arn,omitempty"`
+	Service   string        `yaml:"service,omitempty"`
 }
 
 func (c *SigV4Config) Validate() error {

diff --git a/sigv4/sigv4_config_test.go b/sigv4/sigv4_config_test.go
@@ -47,6 +47,13 @@ func TestGoodSigV4Configs(t *testing.T) {
 	}
 }
 
+func TestGoodSigV4ServiceConfigs(t *testing.T) {
+	filesToTest := []string{"testdata/sigv4_good_service.yaml", "testdata/sigv4_good_service.yaml"}
+	for _, filename := range filesToTest {
+		testGoodConfig(t, filename)
+	}
+}
+
 func TestBadSigV4Config(t *testing.T) {
 	filename := "testdata/sigv4_bad.yaml"
 	_, err := loadSigv4Config(filename)

diff --git a/sigv4/testdata/sigv4_good_service.yaml b/sigv4/testdata/sigv4_good_service.yaml
@@ -0,0 +1,4 @@
+region: us-east-2
+profile: profile
+role_arn: blah:role/arn
+service: exectute-api