search

aws-samples / sigv4a-signing-examples

Code examples in various frameworks for creating requests using the AWS SigV4a protocol
MIT No Attribution
56 stars 23 forks source link

TPM based signing #21

Closed salrashid123 closed 1 month ago

salrashid123 commented 1 month ago

not a bug but incase anyone is interested, here are some samples of the signing flow where the hmac or roles anywhere key is embedded inside a TPM:

coming back to v4a signing, i don't have mrap setup anywhere but i was able to issue a header which should work..

import boto3
from cloud_auth_tpm.aws.awshmaccredentials import AWSHMACCredentials
from cloud_auth_tpm.policy import PCRPolicy, PCRAuthValuePolicy
from botocore import crt, awsrequest

pc = AWSHMACCredentials(
    tcti=args.tcti,
    keyfile=args.keyfile,
    ownerpassword=args.ownerpassword,
    password=args.password,
    policy_impl=policy_impl,
    enc_key_name=args.enc_key_name,

    access_key=args.aws_access_key_id,
    region=args.region,
    duration_seconds=3600,
    role_session_name=args.role_session_name,
    assume_role_arn=args.assume_role_arn,

    get_session_token=args.get_session_token
)

session = pc.get_session()

service = 's3'
region = '*'
method = 'GET'
url = 'https://myalias.accesspoint.s3-global.amazonaws.com/someobject'

headers = SigV4ASign(session).get_headers_basic(service, region, method, url)
print(headers)

gave a header with AWS4-ECDSA-P256-SHA256

{'host': 'myalias.accesspoint.s3-global.amazonaws.com', 'X-Amz-Security-Token': 'FwoGZXIvYXdzEEEaDHMvPaP3Io6RxB9qI-redacted', 'X-Amz-Date': '20240930T160229Z', 'X-Amz-Region-Set': '*', 'x-amz-content-sha256': 'e3b0c44298fc1c149afbf4c8996-redacted', 'Authorization': 'AWS4-ECDSA-P256-SHA256 Credential=ASIAUH3H6EGK-redacted/20240930/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-region-set;x-amz-security-token, Signature=3044022045106142-redacted'}

again, if your'e interested, please try it out and if there are modification or outright corrections, pls add a comment on those repos...and just to be clear, its not affiliated with aws and i'm pretty much a novice when it comes to aws so maybe doing thing totally wrong.

jhart0 commented 1 month ago

Hey @salrashid123 , thanks for this - if you'd like to contribute an example, please do open a PR, for now I will close this issue.