from botocore import crt
import requests
from botocore.awsrequest import AWSRequest
from botocore.credentials import Credentials
import botocore.session
if __name__ == '__main__':
session = botocore.session.Session()
signer = crt.auth.CrtS3SigV4AsymAuth(session.get_credentials(), 'vpc-lattice-svcs', 'us-west-2')
endpoint = 'https://user-02222f67d3a427111.1234abc.vpc-lattice-svcs.us-west-2.on.aws/create'
data = "some-data-here"
headers = {'Content-Type': 'application/json'}
request = AWSRequest(method='POST', url=endpoint, data=data, headers=headers)
request.context["has_streaming_input"] = True # payload signing is not supported
signer.add_auth(request)
prepped = request.prepare()
response = requests.post(prepped.url, headers=prepped.headers, data=data)
带拦截器的 Java
本示例使用
Amazon 请求签名拦截程序
处理请求签名。
import com.amazonaws.http.AwsRequestSigningApacheInterceptor;
import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
import software.amazon.awssdk.auth.signer.Aws4UnsignedPayloadSigner;
import software.amazon.awssdk.regions.Region;
import java.nio.charset.StandardCharsets;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.entity.ByteArrayEntity;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
public class App {
public static void main(String[] args) {
var interceptor = new AwsRequestSigningApacheInterceptor(
"vpc-lattice-svcs",
Aws4UnsignedPayloadSigner.create(), // requires HTTPS
DefaultCredentialsProvider.create(),
Region.US_WEST_2.id()
CloseableHttpClient client = HttpClients.custom()
.addInterceptorLast(interceptor)
.build();
var httpPost = new HttpPost("https://user-02222f67d3a427111.1234abc.vpc-lattice-svcs.us-west-2.on.aws/create");
httpPost.addHeader("content-type", "application/json");
var body = """
"name": "Jane Doe",
"job": "Engineer"
httpPost.setEntity(new ByteArrayEntity(body.getBytes(StandardCharsets.UTF_8)));
try (var response = client.execute(httpPost)) {
System.out.println(new String(response.getEntity().getContent().readAllBytes()));
} catch (Exception e) {
throw new RuntimeException(e);
不带拦截器的 Java
本示例展示了如何使用自定义拦截器执行请求签名。本示例使用来自 AWS SDK for Java 2.x 的默认凭证提供商类,为您获取正确的凭证。如果您希望使用特定的凭证提供商,可以从 AWS SDK for Java 2.x 中选择一个。仅 AWS SDK for Java 允许通过 HTTPS 进行未签名的有效负载。但您可以扩展签名程序,以支持通过 HTTP 的未签名有效负载。
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
import software.amazon.awssdk.auth.signer.Aws4UnsignedPayloadSigner;
import software.amazon.awssdk.auth.signer.AwsSignerExecutionAttribute;
import software.amazon.awssdk.core.interceptor.ExecutionAttributes;
import software.amazon.awssdk.http.SdkHttpFullRequest;
import software.amazon.awssdk.http.SdkHttpMethod;
import software.amazon.awssdk.regions.Region;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.entity.ByteArrayEntity;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
public class App {
public static void main(String[] args) {
var signer = Aws4UnsignedPayloadSigner.create(); // requires HTTPS
Map<String, String> headers = new HashMap<>();
headers.put("content-type", "application/json");
var body = """
"name": "Jane Doe",
"job": "Engineer"
String endpoint = "https://user-02222f67d3a427111.1234abc.vpc-lattice-svcs.us-west-2.on.aws/create";
var sdkRequest = SdkHttpFullRequest.builder().method(SdkHttpMethod.POST);
sdkRequest.host("user-02222f67d3a427111.1234abc.vpc-lattice-svcs.us-west-2.on.aws");
sdkRequest.protocol("HTTPS");
sdkRequest.encodedPath("/create");
sdkRequest.contentStreamProvider(() -> new ByteArrayInputStream(body.getBytes(StandardCharsets.UTF_8)));
for (Map.Entry<String, String> header : headers.entrySet()) {
sdkRequest.putHeader(header.getKey(), header.getValue());
ExecutionAttributes attributes = ExecutionAttributes.builder()
.put(AwsSignerExecutionAttribute.AWS_CREDENTIALS, DefaultCredentialsProvider.create().resolveCredentials())
.put(AwsSignerExecutionAttribute.SERVICE_SIGNING_NAME, "vpc-lattice-svcs")
.put(AwsSignerExecutionAttribute.SIGNING_REGION, Region.US_WEST_2)
.build();
SdkHttpFullRequest prepRequest = signer.sign(sdkRequest.build(), attributes);
HttpPost httpPost = new HttpPost(endpoint);
for (Map.Entry<String, List<String>> header : prepRequest.headers().entrySet()) {
if (header.getKey().equalsIgnoreCase("host")) { continue; }
for(var value : header.getValue()) {
httpPost.addHeader(header.getKey(), value);
CloseableHttpClient client = HttpClients.custom().build();
httpPost.setEntity(new ByteArrayEntity(body.getBytes(StandardCharsets.UTF_8)));
try (var response = client.execute(httpPost)){
System.out.println(new String(response.getEntity().getContent().readAllBytes()));
} catch (IOException e) {
throw new RuntimeException(e);
Node.js
本例使用 aws-crt NodeJS 绑定来发送使用 HTTPS 的签名请求。
要安装 aws-crt 包,请使用以下命令。
npm -i aws-crt
如果存在 AWS_REGION 环境变量,本例将使用 AWS_REGION 指定的区域。默认区域为 us-east-1。
SIGv4
const https = require('https')
const crt = require('aws-crt')
const { HttpRequest } = require('aws-crt/dist/native/http')
function sigV4Sign(method, endpoint, service, algorithm) {
const host = new URL(endpoint).host
const request = new HttpRequest(method, endpoint)
request.headers.add('host', host)
// crt.io.enable_logging(crt.io.LogLevel.INFO)
const config = {
service: service,
region: process.env.AWS_REGION ? process.env.AWS_REGION : 'us-east-1',
algorithm: algorithm,
signature_type: crt.auth.AwsSignatureType.HttpRequestViaHeaders,
signed_body_header: crt.auth.AwsSignedBodyHeaderType.XAmzContentSha256,
signed_body_value: crt.auth.AwsSignedBodyValue.UnsignedPayload,
provider: crt.auth.AwsCredentialsProvider.newDefault()
return crt.auth.aws_sign_request(request, config)
if (process.argv.length === 2) {
console.error(process.argv[1] + ' <url>')
process.exit(1)
const algorithm = crt.auth.AwsSigningAlgorithm.SigV4;
sigV4Sign('GET', process.argv[2], 'vpc-lattice-svcs').then(
httpResponse => {
var headers = {}
for (const sigv4header of httpResponse.headers) {
headers[sigv4header[0]] = sigv4header[1]
const options = {
hostname: new URL(process.argv[2]).host,
path: '/',
method: 'GET',
headers: headers
req = https.request(options, res => {
console.log('statusCode:', res.statusCode)
console.log('headers:', res.headers)
res.on('data', d => {
process.stdout.write(d)
req.on('error', err => {
console.log('Error: ' + err)
req.end()
SIGv4A
const https = require('https')
const crt = require('aws-crt')
const { HttpRequest } = require('aws-crt/dist/native/http')
function sigV4Sign(method, endpoint, service, algorithm) {
const host = new URL(endpoint).host
const request = new HttpRequest(method, endpoint)
request.headers.add('host', host)
// crt.io.enable_logging(crt.io.LogLevel.INFO)
const config = {
service: service,
region: process.env.AWS_REGION ? process.env.AWS_REGION : 'us-east-1',
algorithm: algorithm,
signature_type: crt.auth.AwsSignatureType.HttpRequestViaHeaders,
signed_body_header: crt.auth.AwsSignedBodyHeaderType.XAmzContentSha256,
signed_body_value: crt.auth.AwsSignedBodyValue.UnsignedPayload,
provider: crt.auth.AwsCredentialsProvider.newDefault()
return crt.auth.aws_sign_request(request, config)
if (process.argv.length === 2) {
console.error(process.argv[1] + ' <url>')
process.exit(1)
const algorithm = crt.auth.AwsSigningAlgorithm.SigV4Asymmetric;
sigV4Sign('GET', process.argv[2], 'vpc-lattice-svcs').then(
httpResponse => {
var headers = {}
for (const sigv4header of httpResponse.headers) {
headers[sigv4header[0]] = sigv4header[1]
const options = {
hostname: new URL(process.argv[2]).host,
path: '/',
method: 'GET',
headers: headers
req = https.request(options, res => {
console.log('statusCode:', res.statusCode)
console.log('headers:', res.headers)
res.on('data', d => {
process.stdout.write(d)
req.on('error', err => {
console.log('Error: ' + err)
