AWS SigV4 request signing interceptor support?

[jpalomaki]

Hello,

AWS VPC Lattice allows for securing service-to-service communication, by having services declare authorization policies, using IAM policy language.

To make this authorization scheme work, clients must sign outgoing HTTP requests using SigV4, as described here.

Question: would it make sense for Spring Cloud AWS to provide out-of-the-box request interceptors for this purpose, supporting commonly used HTTP clients such OpenFeign and Spring Interface Clients?

Thanks,
Jukka

[maciejwalkowiak]

This is a great idea especially for WebClient and RestClient. OpenFeign as well but with lower priority. Would you like to contribute it?

[jpalomaki]

@maciejwalkowiak Possibly, I will first have a look at your contribution guidelines and investigate how we could implement this in our specific use case.

That said, do you have any suggestions on how this bit of new code could be packaged within Spring Cloud AWS, should it be included in a new starter, or would it be more of a utility kind of package?

SigV4 request signing can useful outside of the VPC Lattice context, too.

[maciejwalkowiak]

My first idea was to implement it inthe core module as it seems like every module can benefit from it. This would be the first step, second - if/how we should auto-configure it.

[jpalomaki]

@maciejwalkowiak We are now running the OpenFeign SigV4 request interceptor code in production, to learn how it behaves.

Our current design is pretty simple, just a single module spring-cloud-aws-vpc-lattice, where we have a common package-private SigV4 signer class, and then public request interceptor classes for both OpenFeign and Spring Interface Clients.

VPC Lattice requires the UNSIGNED-PAYLOAD type of SigV4 signatures (the request body isn't part of the signature), so I am inclined to think that it might be appropriate to not attempt to make the SigV4 signing component generic at this time, but rather just tailor it to this specific use case.

For a user, configuring the interceptor for OpenFeign looks something like this (we only have this interceptor configured, and we run the code in AWS ECS Fargate):

@Bean
public RequestInterceptor awsSigv4RequestInterceptor() {
    return new FeignSigv4HttpRequestInterceptor(ContainerCredentialsProvider.create(), Region.EU_WEST_1);
}

I am also not sure if any type of autoconfiguration is necessary/possible here. It is also worth noting that this interceptor must be placed last in the chain of interceptors, to ensure it considers all request headers.

Let me know what you think, thanks.

[maciejwalkowiak]

Thanks @jpalomaki for an update. Does this module have any required dependencies? I am wondering if it must have a separate module, or it can just be placed in core.

Regarding auto-configuration - it looks like it's better not auto-configure it and let users make explicit decisions on how it is configured.

[jpalomaki]

@maciejwalkowiak These are the current compile-time dependencies (dependency versions are managed thru BOMs):

<dependencies>
    <dependency>
        <groupId>software.amazon.awssdk</groupId>
        <artifactId>auth</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-openfeign-core</artifactId>
    </dependency>
    <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-web</artifactId>
    </dependency>
</dependencies>