README.md

# Tesla AWS Signer

A [Tesla](https://github.com/teamon/tesla) plug for signing HTTP requests with [AWS Signature Version 4](https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html).

## Installation

```
def deps do
  [
    {:aws_signer, "~> 2.0"}
  ]
end
```

## Usage

Start the cache:

```elixir
AwsSigner.Cache.start_link(log: true)
```

Use `log: true` to enable logging of cache hits/misses (keys only). 

Define your http client:

```elixir
defmodule MyHttpClient do
  use Tesla

  plug Tesla.Middleware.BaseUrl, "https://my-aws-elasticsearch.eu-central-1.es.amazonaws.com"
  plug Tesla.Middleware.JSON
  plug AwsSigner.TeslaMiddleware, options

  adapter Tesla.Adapter.Hackney, path_encode_fun: &AwsSigner.Util.encode_rfc3986/1
end
```

where `options` is a keyword list:

```elixir
[
  log: false                    # (optional) log token requests; see below
  cache: true                   # (optional) cache tokens; see below
  auth_method: :assume_role     # (required) see below for possible values
  region: "eu-central-1",       # (required)
  service: "es",                # (required)
  arn: "arn:aws:iam::123..."    # (required)
  session_name: "..."           # (optional) aws session name
  access_key_id: "...",         # required if auth_method is :assume_role
  secret_access_key: "...",     # required if auth_method is :assume_role
  web_identity_token: "..."     # required if auth_method is :assume_role_with_web_identity
]

```

`auth_method` can be one of:
* `:instance_profile`
* `:assume_role`
* `:assume_role_with_web_identity`

You can read more about [AWS STS](https://docs.aws.amazon.com/STS/latest/APIReference/API_Operations.html) and [AWS Instance Profiles](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html) in the AWS official docs.

Use `log: true` to enable logging of all requests to AWS STS service (made when issuing tokens). Do so with caution, as AWS keys are not something you want in your logs (you know, security).

## Caching

For debugging purposes, you can provide the `cache: false` option to disable caching of aws keys.
AWS keys will be re-issued on each request, which will cause lot of unnecessary network round-trips.

If caching is disabled, you can go without `AwsSigner.Cache.start_link`.

## Caveats

#### HTTP adapter

Make sure your HTTP adapter's path encoding follows the RFC3986 standard as expected by AWS. If you use [`hackney`](https://github.com/benoitc/hackney), you must instruct it to use an external function for that purpose (as shown above in the Usage example):

```elixir
  adapter Tesla.Adapter.Hackney, path_encode_fun: &AwsSigner.Util.encode_rfc3986/1
```

#### Supported auth methods

This library provides basic support for AWS [`AssumeRole`](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html), [`AssumeRoleWithWebIdentity`](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html) and [`InstanceProfile`](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html) credential providers. More providers should be straightforward to add, pull requests are welcome.

#### Supported AWS services

This has been tested with `es` service only (the AWS keyword for Elasticsearch service).

It *should* work for other AWS services, but there may be exceptions -- like the `s3` service, which [according to the AWS docs](https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html) expects double-encoded path segments. Support for this should be easy to add, pull requests are welcome.

## Contributing

Everyone is welcome to contribute. When submitting a Pull Request, please make sure to:

1. Put a clear, concise reasoning for your change in the PR
1. Use `mix format` for code formatting
1. Cover new/changed functionality with tests
1. Ensure all tests pass