Came across this library when using mlflow.log_artifacts with AWS_SIGV4 request signing enabled. When trying to upload the artifact with a put call, this library throws an exception saying that _io.BufferedReader cannot be encoded. Possible solution (or a better version of it).
At line https://github.com/andrewjroth/requests-auth-aws-sigv4/blob/master/requests_auth_aws_sigv4/__init__.py#L141C14-L141C14

  if r.body:
                if isinstance(r.body, bytes):
                    log.debug("Request Body: <bytes> %s", r.body)
                    payload_hash = hashlib.sha256(r.body).hexdigest()
                elif isinstance(r.body, bytes):
                    log.debug("Request Body: <str> %s", r.body)
                    payload_hash = hashlib.sha256(r.body.encode('utf-8')).hexdigest()
                else
                     log.debug("Request Body Object's instance type: {type(obj)} ")
                     body_buffer=r.body
                     file_content=body_buffer.read()
                     body_buffer.seek(0)
                     payload_hash = payload_hash = hashlib.sha256(file_content).hexdigest()

How to reproduce ?

import requests
from requests_auth_aws_sigv4 import AWSSigV4

ACCESS_KEY = 'XXXXXXXX'
SECRET_KEY = 'XXXXXX'
SESSION_TOKEN = 'XXXXX'

aws_auth = AWSSigV4('s3',
    aws_access_key_id=ACCESS_KEY,
    aws_secret_access_key=SECRET_KEY,
    aws_session_token=SESSION_TOKEN,
    region= 'us-east-1',
)

r = requests.request('GET', 'https://<bucket_name>.s3.amazonaws.com/<location_on_s3>',
    auth=aws_auth)
print(r.text)

This gives following error message -

Missing required header for this request: x-amz-content-sha256

Pls.note this access_key, secret_key and session_token are valid and I have checked that using other packages.

I am seeing the following issue and am not sure where I would add the access_token from reading your examples.

{
  "errors": [
    {
      "message": "Access to requested resource is denied.",
     "code": "Unauthorized",
     "details": "Access token is missing in the request header."
    }
  ]
}

Can we have a release that would include recent changes?
Thank you!

Hey,

I am forming the Authorisation header and I am not using the Boto libraries. While forming the canonical uri and canonical querystring the aws documentation(https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html ) says that we need to urlencode them. However, i do not see any urlencoding in the init.py file. Can you pls. check if that's missing or there is some gap in my understanding ? This is with reference to the s3

If you set the auth of a requests.Session to an AWSSigV4 object, after the token expires (e.g. 15 minutes), requests no longer succeed. The __call__ method should check whether the credentials are expired and refresh them before updating the request.

The request.body is a bytes (as opposed to a string).
The following snippet reproduces the error

package versions:
requests==2.25.1
requests-auth-aws-sigv4==0.4

import requests
from requests_auth_aws_sigv4 import AWSSigV4

url = 'https://google.com'
requests.post(url='https://google.com', json=['test'], auth=AWSSigV4('execute-api'))

and the error:

  ...
  File ".../lib/python3.6/site-packages/requests/models.py", line 551, in prepare_auth
    r = auth(self)
  File ".../python3.6/site-packages/requests_auth_aws_sigv4/__init__.py", line 138, in __call__
    payload_hash = hashlib.sha256(r.body.encode('utf-8')).hexdigest()
AttributeError: 'bytes' object has no attribute 'encode'

suggested fix:
when computing the hexdigest, not call encode(''utf-8') if request.body is already of type bytes

I've got a request that's getting a 403
The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

The request specifies the "created" query parameter key twice like so:
created=ge2000-07-01&created=le2024-03-09

If we use this syntax, the request is accepted.
created=ge2000-07-01,le2024-03-09

Since the original request works fine with AWS signatures in Postman, I'm thinking the duplicated query param key is causing the signature to be generated incorrectly. Please let me know if I can furnish any additional details.

I found an uncommon "content-type" in this library and makes error

This is working great for me when using basic access key id and secret access key values. However, if I'm using a temporary token, I get an error when calling AWS api due to an invalid token. I was able to confirm requests-auth-aws-sigv4 is picking up the session token from my credentials file, but best guess is it isn't creating the signed header correctly?

The following request is modified by the AWSSigV4 which adds the signature but also changes the Content-Type header.

requests.get(url, auth=AWSSigV4(service='execute-api'), headers={'Content-Type': 'application/json'})

Changing the Content-Type to "application/x-www-form-urlencoded; charset=utf-8" may cause the request to fail on the server side.

The sigv4 spec doesn't require signing the Content-Type header, so by simply removing this update to the headers dictionary I was able to work-around the issue. Alternatively, the header could be signed if it exists.

I don't think overwriting the User-Agent is a good idea either.

I'd be happy to submit a PR if you could provide some guidance on how you'd like to handle the existing headers

We were using a cached AWSSigV4 object which was shared between threads, and we'd very occasionally get a 403 error because the signature was wrong.
Looking at the code, it looks like it uses data members to store some timestamp related values when it's calculating the signing values:

I know the workaround for us is easy: don't treat the AWSSigV4 as if it is thread safe. But as far as I can tell, it would be pretty easy to make it thread safe by using local variables instead of member variables. Have I missed something as to why member variables are used in this way?