{"id":8864,"library":"aws-sdk-signers","title":"AWS SDK Signers","description":"The aws-sdk-signers library provides standalone HTTP request signers for Amazon Web Services, primarily focusing on SigV4 signing. It's part of the wider smithy-python ecosystem, offering a low-level interface for integrating AWS signature logic into any HTTP client. As a 0.x.x release, it is under active development with an irregular release cadence.","status":"active","version":"0.2.0","language":"en","source_language":"en","source_url":"https://github.com/smithy-lang/smithy-python/tree/develop/packages/aws-sdk-signers","tags":["aws","security","signature","authentication","api-gateway","s3","iam","cloud"],"install":[{"cmd":"pip install aws-sdk-signers aws-sdk-http botocore","lang":"bash","label":"Install core signers and common dependencies"}],"dependencies":[{"reason":"Commonly used for resolving AWS credentials and regions programmatically.","package":"botocore","optional":true},{"reason":"Provides the HttpRequest and HttpResponse objects that are typically used with signers.","package":"aws-sdk-http","optional":true}],"imports":[{"symbol":"HTTPSigner","correct":"from aws_sdk_signers import HTTPSigner"},{"symbol":"SigV4Signer","correct":"from aws_sdk_signers import SigV4Signer"},{"symbol":"HttpRequest","correct":"from aws_sdk_http import HttpRequest"}],"quickstart":{"code":"import os\nfrom datetime import datetime, timezone\nfrom aws_sdk_signers import SigV4Signer\nfrom aws_sdk_http import HttpRequest\nimport botocore.session\n\n# 1. Resolve AWS credentials and region (e.g., from environment variables, ~/.aws/credentials)\nsession = botocore.session.get_session()\ncredentials = session.get_credentials()\n# Use os.environ.get for region, falling back to botocore config or a default\nregion = os.environ.get('AWS_DEFAULT_REGION', session.get_config_variable('region') or 'us-east-1')\n\n# Ensure credentials and region are found\nif not credentials or not credentials.access_key or not region:\n raise RuntimeError(\"AWS credentials or region not found. Set AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN (optional) and AWS_DEFAULT_REGION.\")\n\n# 2. Create an HTTP Request object\n# For an empty body, x-amz-content-sha256 must be the SHA256 hash of an empty string.\nrequest = HttpRequest(\n method=\"GET\",\n scheme=\"https\",\n host=\"example.s3.amazonaws.com\",\n path=\"/myobject.txt\",\n headers={\n \"Host\": \"example.s3.amazonaws.com\",\n \"x-amz-content-sha256\": \"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\"\n },\n body=b''\n)\n\n# 3. Create a SigV4Signer instance\nsigner = SigV4Signer(\n credentials=credentials,\n service_id=\"s3\",\n region=region,\n)\n\n# 4. Sign the request\nsigning_date = datetime.now(timezone.utc) # Use a timezone-aware datetime for signing\nsigned_request = signer.sign(request, signing_date)\n\nprint(\"--- Original Request Headers ---\")\nfor k, v in request.headers.items():\n print(f\"{k}: {v}\")\n\nprint(\"\\n--- Signed Request Headers ---\")\nfor k, v in signed_request.headers.items():\n print(f\"{k}: {v}\")\n\nprint(f\"\\nSigned Authorization header: {signed_request.headers.get('Authorization')}\")\n","lang":"python","description":"This example demonstrates how to sign a simple AWS S3 GET request using SigV4. It dynamically resolves AWS credentials and region, constructs an `HttpRequest` object, and then applies the SigV4 signature using `SigV4Signer`. Note that `x-amz-content-sha256` for an empty body is explicitly set, and `botocore` is used for credential resolution."},"warnings":[{"fix":"Always pin to exact versions (e.g., `aws-sdk-signers==0.2.0`) and review changes carefully when upgrading.","message":"As a 0.x.x library, the API is subject to frequent and breaking changes without prior notice. Semantic versioning guarantees do not apply, and minor version increments may introduce incompatible changes.","severity":"breaking","affected_versions":"0.1.0 - 0.2.0+"},{"fix":"Install `botocore` and use `botocore.session.get_session().get_credentials()` and `session.get_config_variable('region')` to obtain credentials and region, or explicitly pass them to the signer.","message":"This library provides signing logic but does not handle AWS credential or region resolution by itself. For typical AWS environments, you'll need to use `botocore` or manually provide `AWSCredentials` and `region`.","severity":"gotcha","affected_versions":"0.1.0 - 0.2.0+"},{"fix":"Ensure `aws-sdk-http` is installed and construct your request using `from aws_sdk_http import HttpRequest`.","message":"The signer expects an `HttpRequest` object from `aws-sdk-http` (or a compatible type) and will not work with a plain Python dictionary or other HTTP request objects directly without custom adaptation.","severity":"gotcha","affected_versions":"0.1.0 - 0.2.0+"}],"env_vars":null,"last_verified":"2026-04-16T00:00:00.000Z","next_check":"2026-07-15T00:00:00.000Z","problems":[{"fix":"Install `botocore`: `pip install botocore`.","cause":"The `botocore` library, commonly used for resolving AWS credentials and region, is not installed.","error":"ModuleNotFoundError: No module named 'botocore'"},{"fix":"Configure your AWS credentials and region. This can be done via environment variables (e.g., `export AWS_ACCESS_KEY_ID=...`, `export AWS_DEFAULT_REGION=us-east-1`), `~/.aws/credentials` file, or by running in an environment with an IAM role.","cause":"The quickstart code or your application could not find valid AWS credentials or a default region in environment variables, AWS config files, or an assumed IAM role.","error":"RuntimeError: AWS credentials or region not found. Set AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN (optional) and AWS_DEFAULT_REGION."},{"fix":"Import `HttpRequest` from `aws_sdk_http` and use it to construct your request object. Ensure `aws-sdk-http` is installed: `pip install aws-sdk-http`.","cause":"You are passing a plain Python dictionary as the request object to the signer instead of an `HttpRequest` object.","error":"AttributeError: 'dict' object has no attribute 'headers'"}]}