{"id":3257,"library":"requests-auth-aws-sigv4","title":"AWS SigV4 Authentication for Requests","description":"requests-auth-aws-sigv4 is a Python library that provides an authentication class to integrate AWS Signature Version 4 (SigV4) into the popular `requests` module. It simplifies the process of signing HTTP requests to AWS services, including API Gateway, Elasticsearch, and others, by handling credential retrieval from environment variables, parameters, or `boto3`. The current version is 0.7, with its last release in February 2021, indicating a mature and stable but less frequently updated library.","status":"active","version":"0.7","language":"en","source_language":"en","source_url":"https://github.com/andrewjroth/requests-auth-aws-sigv4","tags":["aws","sigv4","authentication","requests","http","api"],"install":[{"cmd":"pip install requests-auth-aws-sigv4","lang":"bash","label":"Install stable version"}],"dependencies":[{"reason":"Core dependency for making HTTP requests.","package":"requests","optional":false},{"reason":"Optional dependency for automatic AWS credential retrieval from configured AWS CLI/SDK profiles.","package":"boto3","optional":true}],"imports":[{"symbol":"AWSSigV4","correct":"from requests_auth_aws_sigv4 import AWSSigV4"}],"quickstart":{"code":"import os\nimport requests\nfrom requests_auth_aws_sigv4 import AWSSigV4\n\n# Ensure AWS credentials are set as environment variables for a runnable example\n# export AWS_ACCESS_KEY_ID=YOUR_ACCESS_KEY\n# export AWS_SECRET_ACCESS_KEY=YOUR_SECRET_KEY\n# export AWS_SESSION_TOKEN=YOUR_SESSION_TOKEN (optional, for temporary credentials)\n\naws_access_key_id = os.environ.get('AWS_ACCESS_KEY_ID', 'YOUR_ACCESS_KEY_ID')\naws_secret_access_key = os.environ.get('AWS_SECRET_ACCESS_KEY', 'YOUR_SECRET_ACCESS_KEY')\naws_session_token = os.environ.get('AWS_SESSION_TOKEN', None)\n\n# Example: Call AWS STS GetCallerIdentity\n# Replace with your actual service endpoint and region if different\naws_service = 'sts'\naws_region = 'us-east-1'\nurl = f'https://sts.{aws_region}.amazonaws.com'\n\n# Initialize AWSSigV4 with service and region. Credentials can be provided as parameters\n# or will be automatically picked up from environment variables or boto3 if available.\nauth = AWSSigV4(\n    aws_service,\n    aws_region,\n    aws_access_key_id=aws_access_key_id,\n    aws_secret_access_key=aws_secret_access_key,\n    aws_session_token=aws_session_token\n)\n\n# Make a POST request with the SigV4 authentication\n# For GetCallerIdentity, the body is typically simple XML or URL-encoded form data.\n# Here, we simulate a simple POST with required parameters.\nheaders = {'Content-Type': 'application/x-www-form-urlencoded'}\ndata = {'Version': '2011-06-15', 'Action': 'GetCallerIdentity'}\n\ntry:\n    response = requests.post(url, headers=headers, data=data, auth=auth)\n    response.raise_for_status() # Raise an exception for HTTP errors\n    print(f\"Status Code: {response.status_code}\")\n    print(f\"Response Body:\\n{response.text}\")\nexcept requests.exceptions.RequestException as e:\n    print(f\"An error occurred: {e}\")\n    if e.response is not None:\n        print(f\"Error Response Body:\\n{e.response.text}\")\n","lang":"python","description":"This quickstart demonstrates how to use `requests-auth-aws-sigv4` to sign a request to the AWS Security Token Service (STS) `GetCallerIdentity` API. It shows how to initialize the `AWSSigV4` class with the service and region, explicitly providing credentials or relying on environment variables. The example includes error handling for common `requests` exceptions."},"warnings":[{"fix":"Double-check the service name (e.g., 'es' for Elasticsearch, 's3' for S3, 'execute-api' for API Gateway) and region (e.g., 'us-east-1') against AWS documentation for your specific endpoint.","message":"Incorrect `aws_service` or `aws_region` parameters will lead to 'SignatureDoesNotMatch' errors. Ensure these values precisely match the AWS service and region you are targeting.","severity":"gotcha","affected_versions":"All"},{"fix":"Synchronize your system's clock using NTP. This library automatically generates the `x-amz-date` header, so clock accuracy is crucial.","message":"Timestamp skew between your system and AWS can cause 'RequestTimeTooSkewed' errors. AWS typically allows a few minutes of clock drift.","severity":"gotcha","affected_versions":"All"},{"fix":"Ensure `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables are correctly set, or pass valid `aws_access_key_id` and `aws_secret_access_key` (and optionally `aws_session_token`) to the `AWSSigV4` constructor. If using `boto3` for credentials, ensure it's configured correctly.","message":"Missing or invalid AWS credentials will result in authentication failures ('Missing Authentication Token' or 'SignatureDoesNotMatch').","severity":"gotcha","affected_versions":"All"},{"fix":"Ensure the `Content-Type` header sent in your `requests` call precisely matches what AWS expects and is correctly included in the signature calculation by the library. For JSON, use `application/json`; for form data, use `application/x-www-form-urlencoded`.","message":"For requests with a payload (e.g., POST, PUT), the `Content-Type` header is critical for signature calculation. Mismatches can cause 'SignatureDoesNotMatch'.","severity":"gotcha","affected_versions":"All"}],"env_vars":null,"last_verified":"2026-04-11T00:00:00.000Z","next_check":"2026-07-10T00:00:00.000Z"}