Closed syall closed 2 months ago
Dependent on #2250, which is the first commit of this PR
These changes add SigV4 (aws.auth#sigv4, sigv4) and SigV4A (aws.auth#sigv4a, sigv4a) migration diff validation.
aws.auth#sigv4
sigv4
aws.auth#sigv4a
sigv4a
This is important since not all SigV4 credentials work with SigV4A, so migration from SigV4 to SigV4A is not backward compatible.
At the time of writing, it is uncertain whether migrating from SigV4A to SigV4 is backward compatible.
Simplified, the SigV4 migration validation events are emitted when:
Keywords:
+
,
...
any
no sigv4
with sigv4
For both @auth and @smithy.rules#endpointRuleSet auth schemes, these are the following validations:
@auth
@smithy.rules#endpointRuleSet
SigV4Migration
EndpointSigV4Migration
sigv4-
sigv4-s3express
beta
no sigv4a
with sigv4a
*
authSchemes
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
Overview
Dependent on #2250, which is the first commit of this PRThese changes add SigV4 (
aws.auth#sigv4
,sigv4
) and SigV4A (aws.auth#sigv4a
,sigv4a
) migration diff validation.This is important since not all SigV4 credentials work with SigV4A, so migration from SigV4 to SigV4A is not backward compatible.
At the time of writing, it is uncertain whether migrating from SigV4A to SigV4 is backward compatible.
Simplified, the SigV4 migration validation events are emitted when:
aws.auth#sigv4
is replaced byaws.auth#sigv4a
, or vice versaaws.auth#sigv4
andaws.auth#sigv4a
is changed in the effective auth schemesaws.auth#sigv4a
is added before an existingaws.auth#sigv4
, or vice versaValidation Tables
Keywords:
sigv4
=aws.auth#sigv4
sigv4a
=aws.auth#sigv4a
+
= set addition,
= list addition (order matters)...
= set, e.g.any
,no sigv4
,with sigv4
For both
@auth
and@smithy.rules#endpointRuleSet
auth schemes, these are the following validations:SigV4Migration
checks for service and operation@auth
diffs.EndpointSigV4Migration
checks for service@auth
and@smithy.rules#endpointRuleSet
diffs.sigv4
also includessigv4-
sub-schemes exceptsigv4-s3express
.sigv4a
also includessigv4-s3express
.beta
auth schemes are not considered during SigV4 migration, and will have to manually be added.no sigv4
+no sigv4a
]any
]with sigv4
+no sigv4a
]no sigv4a
]with sigv4a
+no sigv4
]no sigv4
]with sigv4
,with sigv4a
]with sigv4
,with sigv4a
]with sigv4
+no sigv4a
]with sigv4a
+no sigv4
]sigv4a
replacedsigv4
, but not allsigv4
credentials are compatible withsigv4a
with sigv4a
+no sigv4
]with sigv4
+no sigv4a
]sigv4
replacedsigv4a
, but signing scope could be narrowed (typically from*
)with sigv4
+no sigv4a
]with sigv4
,with sigv4a
]sigv4
will still resolve beforesigv4a
with sigv4a
+no sigv4
]with sigv4a
,with sigv4
]sigv4a
will still resolve beforesigv4
with sigv4
+no sigv4a
]with sigv4a
,with sigv4
]sigv4a
will resolve beforesigv4
, but not allsigv4
credentials are compatible withsigv4a
with sigv4a
+no sigv4
]with sigv4
,with sigv4a
]sigv4
will resolve beforesigv4a
, but signing scope could be narrowed (typically from*
)with sigv4
,with sigv4a
]with sigv4a
,with sigv4
]sigv4
andsigv4a
order is changed, but not allsigv4
credentials are compatible withsigv4a
with sigv4a
,with sigv4
]with sigv4
,with sigv4a
]sigv4
andsigv4a
order is changed, but signing scope could be narrowed (typically from*
)Testing
Related
authSchemes
list property: https://smithy.io/2.0/additional-specs/rules-engine/specification.html#endpoint-authschemes-list-propertyBy submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.