package aws

import "github.com/open-policy-agent/opa/internal/providers/aws"

modified from github.com/aws/aws-sdk-go-v2/internal/v4a@7a32d707af

Index

Constants 

const (
	// AmzRegionSetKey represents the region set header used for sigv4a
	AmzRegionSetKey = "X-Amz-Region-Set"
)

Functions

func DoRequestWithClient 

func DoRequestWithClient(req *http.Request, client *http.Client, desc string, logger logging.Logger) ([]byte, error)

DoRequestWithClient is a convenience function to get the body of an HTTP response with appropriate error-handling boilerplate and logging.

func SetRandomSource 

func SetRandomSource(reader io.Reader)

SetRandomSource used for testing to override rand so tests can expect stable output

func SignRequest 

func SignRequest(req *http.Request, service string, creds Credentials, theTime time.Time, sigVersion string) error

SignRequest modifies an http.Request to include an AWS V4 signature based on the provided credentials.

func SignV4 

func SignV4(headers map[string][]string, method string, theURL *url.URL, body []byte, service string,
	awsCreds Credentials, theTime time.Time, disablePayloadSigning bool) (string, map[string]string)

SignV4 modifies a map[string][]string of headers to generate an AWS V4 signature + headers based on the config/credentials provided.

func SignV4a 

func SignV4a(headers map[string][]string, method string, theURL *url.URL, body []byte, service string, awsCreds Credentials, theTime time.Time) map[string][]string

SignV4a returns a map[string][]string of headers, including an added AWS V4a signature based on the config/credentials provided.

Types

type Credentials 

type Credentials struct {
	AccessKey    string
	SecretKey    string
	RegionName   string
	SessionToken string
}

func CredentialsFromObject 

func CredentialsFromObject(v ast.Object) Credentials

type ECR 

type ECR struct {
	// contains filtered or unexported fields
}

ECR is used to request tokens from Elastic Container Registry.

func NewECR 

func NewECR(logger logging.Logger) *ECR

func (*ECR) GetAuthorizationToken 

func (e *ECR) GetAuthorizationToken(ctx context.Context, creds Credentials, signatureVersion string) (ECRAuthorizationToken, error)

GetAuthorizationToken requests a token that can be used to authenticate image pull requests.

type ECRAuthorizationToken 

type ECRAuthorizationToken struct {
	AuthorizationToken string
	ExpiresAt          time.Time
}

ECRAuthorizationToken can sign requests to AWS ECR.

It corresponds to data returned by the AWS GetAuthorizationToken API. See https://docs.aws.amazon.com/AmazonECR/latest/APIReference/API_AuthorizationData.html

func (*ECRAuthorizationToken) IsValid 

func (t *ECRAuthorizationToken) IsValid() bool

IsValid returns true if the token is set and not expired. It respects a margin of error for time handling and will mark it as expired early.

type KMS 

type KMS struct {
	// contains filtered or unexported fields
}

KMS is used to sign payloads using AWS Key Management Service.

func NewKMS 

func NewKMS(logger logging.Logger) *KMS

func NewKMSWithURLClient 

func NewKMSWithURLClient(url string, client *http.Client, logger logging.Logger) *KMS

func (*KMS) SignDigest 

func (k *KMS) SignDigest(ctx context.Context, digest []byte, keyID string, signingAlgorithm string, creds Credentials, signatureVersion string) (string, error)

SignDigest signs a digest using KMS.

type KMSSignRequest 

type KMSSignRequest struct {
	KeyID            string `json:"KeyId"`
	Message          string `json:"Message"`
	MessageType      string `json:"MessageType"`
	SigningAlgorithm string `json:"SigningAlgorithm"`
}

type KMSSignResponse 

type KMSSignResponse struct {
	KeyID            string `json:"KeyId"`
	Signature        string `json:"Signature"`
	SigningAlgorithm string `json:"SigningAlgorithm"`
}

Source Files

ecr.go kms.go signing_v4.go signing_v4a.go util.go

Directories

PathSynopsis
internal/providers/aws/crypto
internal/providers/aws/v4
Version
v1.4.2 (latest)
Published
May 2, 2025
Platform
linux/amd64
Imports
30 packages
Last checked
6 hours ago

Tools for package owners.