AWS4 Authentication for Requests

Warnings

• breaking Python 2.7 support was officially dropped in v1.1.0, and support for Python versions below 3.7 was explicitly removed in v1.3.0. Users on older Python versions will need to upgrade.
  Fix: Upgrade Python to >=3.7 and then upgrade requests-aws4auth to the latest version.
• breaking The `six` compatibility library was removed in v1.3.0, signifying a full transition to Python 3 syntax. Code relying on `six` within or alongside `requests-aws4auth` may break.
  Fix: Update your code to use native Python 3 constructs or ensure `six` is not inadvertently relied upon by other dependencies in a way that conflicts with `requests-aws4auth`.
• gotcha A regression error was present in versions 1.2.0 and 1.2.1 related to header port numbers, requiring a revert in v1.2.2. These versions should be avoided if port handling is critical.
  Fix: Upgrade to v1.2.2 or later.
• gotcha Version 0.8 introduced automatic request date checking and key regeneration. This significantly changed behavior regarding multithreading and secret key storage, as an `AWS4Auth` instance might modify its internal signing key during a request if date headers mismatch.
  Fix: Review the 'Date handling', 'Automatic key regeneration', 'Secret key storage', and 'Multithreading' sections in the library's documentation to understand the implications for long-running or multi-threaded applications.
• gotcha There are two popular, similarly named libraries: `requests-aws4auth` (this library, `tedder/requests-aws4auth`) and `aws-requests-auth` (`DavidMuller/aws-requests-auth`). Ensure you are importing from `requests_aws4auth` if you intend to use this specific package.
  Fix: Double-check your `pip install` command and `import` statements to confirm you are using the intended library.

Install

• pip install requests-aws4auth Install stable version

Imports

• AWS4Auth

  from requests_aws4auth import AWS4Auth

Quickstart

This example demonstrates how to set up AWS4Auth using access keys and a service endpoint, then make a GET request using the `requests` library. For production, always use environment variables or a secure credential provider (like `boto3`'s session credentials with `RefreshableCredentials`).

import os
import requests
from requests_aws4auth import AWS4Auth

# It's highly recommended to use environment variables for sensitive AWS credentials
aws_access_key_id = os.environ.get('AWS_ACCESS_KEY_ID', 'YOUR_ACCESS_KEY_ID')
aws_secret_access_key = os.environ.get('AWS_SECRET_ACCESS_KEY', 'YOUR_SECRET_ACCESS_KEY')
aws_session_token = os.environ.get('AWS_SESSION_TOKEN', '') # Optional for temporary STS credentials

# Replace with your target AWS service region and canonical service name
aws_region = os.environ.get('AWS_REGION', 'us-east-1')
aws_service = os.environ.get('AWS_SERVICE', 's3') # e.g., 's3', 'es', 'execute-api'

if aws_access_key_id == 'YOUR_ACCESS_KEY_ID' or aws_secret_access_key == 'YOUR_SECRET_ACCESS_KEY':
    print("WARNING: AWS credentials are not set in environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY). "
          "Using placeholder values, which will likely fail authentication.")

# Construct the authentication object
auth = AWS4Auth(
    aws_access_key_id,
    aws_secret_access_key,
    aws_region,
    aws_service,
    session_token=aws_session_token if aws_session_token else None
)

# Example endpoint for S3 (adjust to your specific AWS endpoint)
endpoint = f"https://s3.{aws_region}.amazonaws.com/"
print(f"Attempting to connect to: {endpoint} with service: {aws_service}")

try:
    response = requests.get(endpoint, auth=auth)
    response.raise_for_status() # Raise an exception for HTTP errors (4xx or 5xx)
    print(f"Successfully authenticated and received status code: {response.status_code}")
    # print(response.text) # Uncomment to see the response body
except requests.exceptions.HTTPError as e:
    print(f"HTTP Error: {e.response.status_code} - {e.response.text}")
except requests.exceptions.RequestException as e:
    print(f"Request failed: {e}")