Parameter to Set User Agent in Requests to KMS

[cedricvanrompay-datadog]

We have several CI pipelines using JSign to sign various Windows packages, and we would like to have a trace in the AWS KMS CloudTrail logs which pipeline each access comes from.

One quick and simple way of doing it would be to add this info in the user agent used by JSign when sending requests to AWS KMS.

However as of now the user agent seems to be a constant: https://github.com/ebourg/jsign/blob/14dc018bc725f902f142b67e82128849969418f4/jsign-core/src/main/java/net/jsign/jca/RESTClient.java#L69

Would is be possible to add a --user-agent command-line argument to overwrite the default user agent?

Happy to provide the PR if needed.

[ebourg]

Does it have to be the user agent? Or could it be another request parameter?

[ebourg]

Looking at the CloudTrail documentation, it seems the request parameters are recorded as well, but it's not clear if only the parameters expected by the service are included.

Would a --http-header 'X-Pipeline: foo' parameter work for you?

[cedricvanrompay-datadog]

Let me try and get back to you

[cedricvanrompay-datadog]

From a quick look, it seems that:

• not even all the required query parameters are recorded in the CloudTrail logs (the message to sign isn't recorded for instance, which is probably a good thing)
• there does not seem to be a way to record the HTTP headers of the request

So for now the user agent seems to be the only option for us.

[ebourg]

I've implemented this with an environment variable setting a JVM system property. Try setting the JSIGN_OPTS variable before invoking Jsign:

export JSIGN_OPTS=-Dhttp.agent=foo
jsign --storetype AWS --keystore eu-west-3 ...

Let me know if that works for you.