{"id":3258,"library":"requests-aws-sign","title":"AWS Signature Version 4 Signing for Requests","description":"requests-aws-sign is a Python package that enables AWS Signature Version 4 (SigV4) request signing using the popular `requests` library. It provides the `AWSV4Sign` class which extends `requests.auth.AuthBase` to handle the intricate SigV4 signing process for HTTP requests to AWS services. The current version is 0.1.6, and it appears to be in a maintenance state, with the last release in July 2020.","status":"maintenance","version":"0.1.6","language":"en","source_language":"en","source_url":"https://github.com/jmenga/requests-aws-sign","tags":["aws","authentication","requests","sigv4","security"],"install":[{"cmd":"pip install requests-aws-sign","lang":"bash","label":"Install stable version"}],"dependencies":[{"reason":"Core HTTP library that requests-aws-sign extends for authentication.","package":"requests","optional":false},{"reason":"Highly recommended for robust AWS credential management (e.g., fetching credentials from environment variables, IAM roles, or STS temporary credentials), though not a strict runtime dependency of the signing logic itself.","package":"boto3","optional":true}],"imports":[{"note":"This is the primary class provided for request signing.","symbol":"AWSV4Sign","correct":"from requests_aws_sign import AWSV4Sign"}],"quickstart":{"code":"import requests\nfrom requests_aws_sign import AWSV4Sign\nfrom boto3 import session\nimport os\n\n# NOTE: For a real application, ensure AWS credentials are set via environment\n# variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN)\n# or AWS config files, so boto3 can find them.\n# For this example, we'll try to get them, but you might need to set them.\n\nsession_boto3 = session.Session()\ncredentials = session_boto3.get_credentials() if session_boto3.get_credentials() else None\n\nif not credentials or not credentials.access_key or not credentials.secret_key:\n    print(\"Warning: AWS credentials not found. Using dummy credentials. This request will likely fail.\")\n    print(\"Please configure AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and optionally AWS_SESSION_TOKEN environment variables.\")\n    access_key = os.environ.get('AWS_ACCESS_KEY_ID', 'AKIAIOSFODNN7EXAMPLE')\n    secret_key = os.environ.get('AWS_SECRET_ACCESS_KEY', 'wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY')\n    session_token = os.environ.get('AWS_SESSION_TOKEN', None)\n    \n    # Mocking a credentials object if boto3 couldn't find them\n    class MockCredentials:\n        def __init__(self, access_key, secret_key, token):\n            self.access_key = access_key\n            self.secret_key = secret_key\n            self.token = token\n    credentials = MockCredentials(access_key, secret_key, session_token)\n\nregion = session_boto3.region_name or 'us-east-1' # Default to us-east-1 if boto3 can't determine\nservice = 'es' # Example service, e.g., 's3', 'execute-api', 'es'\n\n# This URL is an example and likely won't work without a real Elasticsearch domain\n# Replace with a real AWS service endpoint you have access to\nurl = f\"https://{service}-domain-example.{region}.es.amazonaws.com/\"\n\nauth = AWSV4Sign(credentials, region, service)\n\ntry:\n    response = requests.get(url, auth=auth, timeout=5) # Added timeout\n    response.raise_for_status() # Raise an HTTPError for bad responses (4xx or 5xx)\n    print(f\"Successfully signed and sent request to {url}\")\n    print(f\"Status Code: {response.status_code}\")\n    # print(response.text) # Uncomment to see response body\nexcept requests.exceptions.RequestException as e:\n    print(f\"Request failed: {e}\")\n    if hasattr(e, 'response') and e.response is not None:\n        print(f\"Response status code: {e.response.status_code}\")\n        print(f\"Response headers: {e.response.headers}\")\n        print(f\"Response body: {e.response.text}\")\n","lang":"python","description":"This quickstart demonstrates how to use `requests-aws-sign` to sign an HTTP GET request to an AWS service (e.g., Elasticsearch Service). It leverages `boto3` to automatically retrieve AWS credentials and region, falling back to dummy credentials if not found. This ensures the necessary `AWSV4Sign` object is correctly initialized before making the signed request. Remember to replace the `url` and `service` with your actual AWS service endpoint and name."},"warnings":[{"fix":"Ensure `credentials`, `region`, and `service` passed to `AWSV4Sign` are accurate for the target AWS endpoint. Use `boto3.session.Session().get_credentials()` and `boto3.session.Session().region_name` to reliably get credentials and region. Consult AWS documentation for the correct service identifier for your API.","message":"AWS SigV4 signing requires specific parameters: valid AWS credentials, the correct AWS region, and the exact AWS service name (e.g., 's3', 'es', 'execute-api'). Incorrect values for any of these parameters will result in 'SignatureDoesNotMatch' or 'IncompleteSignature' errors from AWS services.","severity":"gotcha","affected_versions":"All"},{"fix":"Ensure your credential object (e.g., from `boto3.session.Session().get_credentials()`) correctly provides the `token` attribute if temporary credentials are in use. The `AWSV4Sign` constructor takes this `credentials` object directly, which should contain the `token` if available.","message":"When using AWS Security Token Service (STS) temporary credentials (e.g., from an assumed role or EC2 instance profile), the `AWSV4Sign` class needs the `session_token` in addition to `access_key` and `secret_key`. Failure to include the `X-Amz-Security-Token` header (which the library adds if `session_token` is provided) will lead to authentication failures like 'ExpiredTokenException'.","severity":"gotcha","affected_versions":"All"},{"fix":"To use with a session: `s = requests.Session(); s.auth = AWSV4Sign(credentials, region, service); response = s.get(url)`. This reuses underlying connections and applies the auth consistently.","message":"This library primarily focuses on signing individual `requests` calls. For making multiple signed requests to the same AWS service efficiently, it's generally best practice to use a `requests.Session` object. The `AWSV4Sign` object can be assigned to a session's `auth` attribute, but the library does not provide a specialized `Session` subclass itself.","severity":"gotcha","affected_versions":"All"},{"fix":"Ensure all AWS services you interact with support or require Signature Version 4. This library exclusively generates SigV4 signatures. Migrate any legacy SigV2 implementations to SigV4. The AWS SDKs handle this automatically with up-to-date versions.","message":"While `requests-aws-sign` itself is designed for SigV4, older AWS SDKs or custom implementations might still use Signature Version 2 (SigV2). AWS has deprecated SigV2 for new S3 buckets created after June 24, 2020, and strongly encourages migration to SigV4 for all services due to enhanced security. If you are integrating with an existing system that uses SigV2, this library will not be compatible.","severity":"breaking","affected_versions":"N/A (issue is with AWS, not this library, but affects its applicability)"}],"env_vars":null,"last_verified":"2026-04-11T00:00:00.000Z","next_check":"2026-07-10T00:00:00.000Z"}