Skip to content

Instantly share code, notes, and snippets.

@codingarchitect

codingarchitect/aws-sigv4-ssm-get-parameter.sh

Forked from slawekzachcial/aws-sigv4-ssm-get-parameter.sh
Last active September 13, 2023 09:36
Show Gist options
  • Save codingarchitect/070f73fbbfc5e515d4eb454c4df716d5 to your computer and use it in GitHub Desktop.
Save codingarchitect/070f73fbbfc5e515d4eb454c4df716d5 to your computer and use it in GitHub Desktop.
Download ZIP
Using CURL to call AWS ReST API, signing request with v4 signature
Raw
aws-sigv4-ssm-get-parameter.sh
#!/bin/bash
# set -x
# Source: https://docs.aws.amazon.com/general/latest/gr/sigv4-signed-request-examples.html
[[ -n "${AWS_ACCESS_KEY_ID}" ]] || { echo "AWS_ACCESS_KEY_ID required" >&2; exit 1; }
[[ -n "${AWS_SECRET_ACCESS_KEY}" ]] || { echo "AWS_SECRET_ACCESS_KEY required" >&2; exit 1; }
readonly method="GET"
readonly service="s3"
readonly region="eu-frankfurt-1"
readonly host="ociobjectstoragenamespacechangeme.compat.objectstorage.${region}.oraclecloud.com"
readonly bucket="changeme"
readonly fileName="changeme"
readonly endpoint="https://${host}/${bucket}/${fileName}"
readonly contentType="application/x-amz-json-1.1"
# readonly amazonTarget="AmazonSSM.GetParameter"
# readonly requestParameters="$(printf '{"Name":"%s","WithDecryption":true}' "${parameterName}")"
requestParameters=""
readonly amazonDate="$(date --utc +'%Y%m%dT%H%M%SZ')"
readonly dateStamp="$(date --utc +'%Y%m%d')"
# readonly amazonDate="20200429T093445Z"
# readonly dateStamp="20200429"
function sha256 {
echo -ne "$1" | openssl dgst -sha256 -hex | sed 's/SHA2-256(stdin)= //g'
}
function sign {
local keyArg="$1"
local msg="$2"
# echo -ne "${msg}" | openssl dgst -sha256 -mac hmac -macopt "hexkey:${hexKey}" | sed 's/^.* //'
echo -ne "${msg}" | openssl dgst -sha256 -mac hmac -macopt "${keyArg}" | sed 's/SHA2-256(stdin)= //g'
}
function getSignatureKey {
local key="$1"
local dateStamp1="$2"
local regionName="$3"
local serviceName="$4"
local kDate kRegion kService kSigning
kDate="$(sign "key:AWS4${key}" "${dateStamp1}")"
# echo "kDate=$kDate" >&2
kRegion="$(sign "hexkey:${kDate}" "${regionName}")"
kService="$(sign "hexkey:${kRegion}" "${serviceName}")"
kSigning="$(sign "hexkey:${kService}" "aws4_request")"
echo -ne "${kSigning}"
}
# --- TASK 1: create canonical request ---
readonly canonicalUri="/${bucket}/${fileName}"
readonly canonicalQueryString=""
readonly payloadHash="$(sha256 "${requestParameters}")"
echo -e "payloadHash: $payloadHash"
readonly canonicalHeaders="host:${host}\nx-amz-content-sha256:${payloadHash}\nx-amz-date:${amazonDate}\n"
echo -e "canonicalHeaders: $canonicalHeaders"
readonly signedHeaders="host;x-amz-content-sha256;x-amz-date"
readonly canonicalRequest="${method}\n${canonicalUri}\n${canonicalQueryString}\n${canonicalHeaders}\n${signedHeaders}\n${payloadHash}"
# --- TASK 2: create the string to sign ---
readonly algorithm="AWS4-HMAC-SHA256"
readonly credentialScope="${dateStamp}/${region}/${service}/aws4_request"
echo -e "canonicalRequest: $canonicalRequest"
readonly stringToSign="${algorithm}\n${amazonDate}\n${credentialScope}\n$(sha256 "${canonicalRequest}")"
echo -e "stringToSign: $stringToSign"
# --- TASK 3: calculate the signature ---
readonly signingKey="$(getSignatureKey "${AWS_SECRET_ACCESS_KEY}" "${dateStamp}" "${region}" "${service}")"
readonly signature="$(sign "hexkey:${signingKey}" "${stringToSign}")"
# --- TASK 4: add signing information to the request ---
readonly authorizationHeader="${algorithm} \
Credential=${AWS_ACCESS_KEY_ID}/${credentialScope}, \
SignedHeaders=${signedHeaders}, \
Signature=${signature}"
# --- SEND REQUEST ---
curl \
"${endpoint}" \
--header "Authorization: ${authorizationHeader}" \
--header "x-amz-content-sha256: ${payloadHash}" \
--header "x-amz-date: ${amazonDate}"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment