Lib.rs

Network programmingreqsign
#aws #reqsign #aws-credentials #sig-v4 #assume-role #iam #amazon-s3

reqsign-aws-v4

AWS SigV4 signing implementation for reqsign

by Xuanwo, tison and 35 contributors

3 stable releases

Uses new Rust 2024

2.0.1 Nov 3, 2025
2.0.0 Oct 8, 2025
1.0.0 Sep 1, 2025

#745 in Network programming

Download history 86/week @ 2025-08-27 174/week @ 2025-09-03 330/week @ 2025-09-10 2362/week @ 2025-09-17 3470/week @ 2025-09-24 4371/week @ 2025-10-01 7840/week @ 2025-10-08 7051/week @ 2025-10-15 4801/week @ 2025-10-22 7604/week @ 2025-10-29 6457/week @ 2025-11-05 7437/week @ 2025-11-12 15775/week @ 2025-11-19

38,097 downloads per month
Used in 32 crates (2 directly)

Apache-2.0

275KB
5K SLoC

reqsign-aws-v4

AWS SigV4 signing implementation for reqsign.

This crate provides AWS Signature Version 4 (SigV4) signing capabilities for authenticating requests to AWS services like S3, DynamoDB, Lambda, and more.

Quick Start

use reqsign_aws_v4::{Builder, Config, DefaultLoader};
use reqsign_core::{Context, Signer};

// Create context and signer
let ctx = Context::default();
let config = Config::default().from_env().from_profile();
let loader = DefaultLoader::new(config);
let builder = Builder::new("s3", "us-east-1");
let signer = Signer::new(ctx, loader, builder);

// Sign requests
let mut req = http::Request::get("https://s3.amazonaws.com/mybucket/mykey")
    .body(())
    .unwrap()
    .into_parts()
    .0;

signer.sign(&mut req, None).await?;

Features

  • Complete SigV4 Implementation: Full AWS Signature Version 4 support
  • Multiple Credential Sources: Environment, files, IAM roles, and more
  • Service Agnostic: Works with any AWS service using SigV4
  • Async Support: Built for modern async Rust applications

Credential Sources

This crate supports loading credentials from:

  1. Environment Variables

    export AWS_ACCESS_KEY_ID=your_access_key
export AWS_SECRET_ACCESS_KEY=your_secret_key
export AWS_SESSION_TOKEN=your_session_token  # Optional

  2. Credential File (~/.aws/credentials)

    [default]
aws_access_key_id = your_access_key
aws_secret_access_key = your_secret_key

[production]
aws_access_key_id = prod_access_key
aws_secret_access_key = prod_secret_key

  3. IAM Roles (EC2, ECS, Lambda)

    • Automatically detected and used when running on AWS infrastructure

  4. AssumeRole with STS

    let config = Config::default()
    .role_arn("arn:aws:iam::123456789012:role/MyRole")
    .role_session_name("my-session");

  5. Web Identity Tokens (EKS/Kubernetes)

    • Automatically detected in EKS environments

Supported Services

Works with any AWS service using SigV4:

  • Storage: S3, EBS, EFS
  • Database: DynamoDB, RDS, DocumentDB
  • Compute: EC2, Lambda, ECS
  • Messaging: SQS, SNS, EventBridge
  • Analytics: Kinesis, Athena, EMR
  • And many more...

Examples

S3 Operations

// List buckets
let req = http::Request::get("https://s3.amazonaws.com/")
    .header("x-amz-content-sha256", EMPTY_STRING_SHA256)
    .body(())?;

// Get object
let req = http::Request::get("https://bucket.s3.amazonaws.com/key")
    .header("x-amz-content-sha256", EMPTY_STRING_SHA256)
    .body(())?;

DynamoDB Operations

// List tables
let req = http::Request::post("https://dynamodb.us-east-1.amazonaws.com/")
    .header("x-amz-target", "DynamoDB_20120810.ListTables")
    .header("content-type", "application/x-amz-json-1.0")
    .body(json!({}))?;

Check out more examples:

Advanced Configuration

Custom Profile

let config = Config::default()
    .profile("production")
    .from_profile();

Assume Role

let config = Config::default()
    .role_arn("arn:aws:iam::123456789012:role/MyRole")
    .external_id("unique-external-id")
    .duration_seconds(3600);

Direct Credentials

let config = Config::default()
    .access_key_id("AKIAIOSFODNN7EXAMPLE")
    .secret_access_key("wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY")
    .session_token("optional-session-token");

License

Licensed under Apache License, Version 2.0.

Dependencies

~8–12MB
~204K SLoC