aws-sdk-go icon indicating copy to clipboard operation
aws-sdk-go copied to clipboard

Published 20 hours ago verified publisher icon aws

Allow custom `ignoredHeaders` with v4 signer

Open greedy52 opened this issue 2 years ago • 0 comments

Describe the feature

Currently, the ignoredHeaders is a private hard-coded list which includes auth header, User-agent, and the trace ID header. https://github.com/aws/aws-sdk-go/blob/183764bff45cc1d1e8ddecccd706dc26aaaa2c44/aws/signer/v4/v4.go#L92-L100

Request to give an option for overwriting this list when using the v4 signer.

Use Case

Teleport implements a proxy for AWS APIs and uses the v4 signer for verifying incoming AWS requests.

However, it's found that some AWS applications (e.g. AWS Java SDK v1, Athena JDBC driver) sign the requests including the User-agent header, like:

SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;amz-sdk-retry;content-type;host;user-agent;x-amz-content-sha256;x-amz-date

Thus signature generated by golang SDK will never match the ones from these requests as the User-agent header is excluded in go.

It would be great if the list of ignored headers list can be overwritten when creating the signer.

Proposed Solution

Have a new option to overwrite the ignored headers list, for example:

signer := v4.NewSigner(credentials, v4.WithIgnoredHeaders([]string{"Authorization", "X-Amzn-Trace-Id", "expect"}))

Other Information

No response

Acknowledgements

  • [X] I may be able to implement this feature request
  • [ ] This feature might incur a breaking change

SDK version used

v1.44.132

Environment details (Version of Go (go version)? OS name and version, etc.)

Go 1.19 macOS 13.0.1

greedy52 avatar Dec 14 '22 16:12 greedy52