Providers

AWS SigV4 Credential Signing

View as Markdown

AWS SigV4 credential signing lets sandbox agents call AWS services (Bedrock, S3, STS, and others) through the proxy’s CONNECT tunnel. The proxy intercepts outbound requests, strips the sandbox client’s placeholder Authorization header, and re-signs the request with real AWS credentials from the provider. The sandbox never sees the real credentials.

Prerequisites

  • A provider with AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY credentials configured. Optionally include AWS_SESSION_TOKEN for STS temporary credentials.
  • A sandbox policy with credential_signing enabled on the target endpoint.

Provider Setup

Create a provider with AWS credentials:

$openshell provider create \
>  --name aws-prod \
>  --credential AWS_ACCESS_KEY_ID=AKIA... \
>  --credential AWS_SECRET_ACCESS_KEY=wJalr...

For STS temporary credentials, include the session token:

$openshell provider create \
>  --name aws-sts \
>  --credential AWS_ACCESS_KEY_ID=ASIA... \
>  --credential AWS_SECRET_ACCESS_KEY=secret... \
>  --credential AWS_SESSION_TOKEN=FwoGZX...

Policy Configuration

Enable SigV4 signing on a per-endpoint basis using three policy fields:

FieldTypeRequiredDescription
credential_signingstringYesSigning mode: sigv4, sigv4:body, or sigv4:no_body.
signing_servicestringYesAWS service name for the SigV4 signature (e.g. bedrock, s3, sts).
signing_regionstringNoAWS region override. When omitted, extracted from the endpoint hostname. Required for non-standard endpoints.

Bedrock Example

1network_policies:
2  aws_bedrock:
3    endpoints:
4      - host: bedrock-runtime.us-east-1.amazonaws.com
5        port: 443
6        protocol: rest
7        credential_signing: sigv4
8        signing_service: bedrock
9        rules:
10          - allow:
11              method: POST
12              path: /model/*/invoke

The Bedrock example uses rules for fine-grained access control. When rules are present, omit the access field — they are mutually exclusive.

S3 Example

1network_policies:
2  aws_s3:
3    endpoints:
4      - host: "*.s3.us-east-1.amazonaws.com"
5        port: 443
6        protocol: rest
7        access: full
8        credential_signing: sigv4
9        signing_service: s3

STS Example

1network_policies:
2  aws_sts:
3    endpoints:
4      - host: sts.us-east-1.amazonaws.com
5        port: 443
6        protocol: rest
7        access: full
8        credential_signing: sigv4
9        signing_service: sts

Signing Modes

The credential_signing field accepts three values:

ValueBehaviorUse When
sigv4Auto-detect payload mode from the client SDK’s x-amz-content-sha256 header.Default. Works for most AWS services.
sigv4:bodyAlways buffer the request body and include its SHA-256 hash in the signature. Maximum body size: 10 MiB.Services that require body signing (Bedrock).
sigv4:no_bodySign headers only with UNSIGNED-PAYLOAD. Stream the body through without buffering.Large uploads (S3 PutObject), chunked transfers, or any case where body buffering is impractical.

In sigv4 auto-detect mode, the proxy inspects the x-amz-content-sha256 header sent by the client SDK:

  • Hex hash → buffer body and sign it (same as sigv4:body).
  • UNSIGNED-PAYLOAD → sign headers only (same as sigv4:no_body).
  • STREAMING-UNSIGNED-PAYLOAD-TRAILER → sign headers only, stream body through.
  • Absent → sign body if Content-Length is present, otherwise use unsigned payload.

Chunk-signed streaming modes like STREAMING-AWS4-HMAC-SHA256-PAYLOAD are not supported. The proxy cannot reproduce per-chunk signatures. If your client SDK sends chunk-signed requests, use sigv4:no_body instead.

Region Detection

The proxy extracts the AWS region from the endpoint hostname automatically. It supports standard, dualstack, FIPS, virtual-hosted, GovCloud, and China partition hostnames.

For endpoints where the region cannot be inferred from the hostname, set signing_region explicitly:

1endpoints:
2  - host: custom-vpc-endpoint.example.com
3    port: 443
4    protocol: rest
5    access: full
6    credential_signing: sigv4
7    signing_service: s3
8    signing_region: us-west-2

Restrictions

  • credential_signing and request_body_credential_rewrite are mutually exclusive on the same endpoint. The policy validator rejects policies that set both.
  • The sigv4:body mode buffers at most 10 MiB. Requests with larger bodies are rejected. Use sigv4:no_body or sigv4 (auto-detect) for large payloads.
  • The proxy requires AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in the provider. If either is missing, the request fails with an error.

Use from a Sandbox

Inside a sandbox, configure the AWS SDK with placeholder credentials. The proxy replaces them with real credentials during re-signing:

$export AWS_ACCESS_KEY_ID=placeholder
$export AWS_SECRET_ACCESS_KEY=placeholder
$export AWS_DEFAULT_REGION=us-east-1

Then use any AWS SDK or CLI normally. The proxy transparently re-signs requests before forwarding to AWS.