Closed
Description
A handful of AWS services facilitate provision of an external resource that the user then communicates with using non-AWS SDK tooling, e.g.
- EKS creates kubernetes clusters which you then control with
kubectl - OpenSearch creates opensearch clusters which you then talk to through a separately-maintained library, https://github.com/opensearch-project/opensearch-go
Among these services, a handful require SigV4 or SigV4A authentication (e.g. opensearch, APIGateway, VPC lattice). The state of generic signer support across SDKs is fragmented and the Go v2 SDK is no exception:
- The sigv4 signer implementation is part of the public API but its implementation is not truly generic. It depends on various elements of the runtime and makes some decisions about header canonicalization and signing variables based on quirks within the AWS service fabric
- The sigv4a signer is entirely an implementation detail and correctly remains in an internal package. However, this means that users who require SigV4A functionality outside of an AWS service context have little to no recourse - as the algorithm isn't yet publicly documented, an implementation must be derived from an existing AWS-borne implementation (CRT, Rust/Go v2 SDKs).
This issue tracks the development work to support generic, fully reusable APIs for modern AWS signing algorithms.