feat(http_client source): #23338 Enable AWS authentication for the http_client source. #23339
+151
−27
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
domain: sources
johannesfloriangeiger
changed the title
There was a problem hiding this comment.
Pull Request Overview
This PR adds AWS SigV4 signing support to the http_client source, allowing Vector to authenticate requests against AWS services (e.g., Amazon Managed Service for Prometheus).
- Introduces conditional AWS signing in the
http_clientutility with empty-body support. - Refactors shared signing logic into
create_signing_instructionsand exposessign_request_with_empty_body. - Updates HTTP sink config to streamline region and credentials provider setup and adds a changelog entry.
Reviewed Changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| src/sources/util/http_client.rs | Wraps request signing and send in timeouts, injects AWS SigV4 code |
| src/sinks/http/config.rs | Simplifies AWS region/credentials resolution in HTTP sink config |
| src/aws/mod.rs | Refactors signing into helper functions and adds empty-body signer |
| src/aws/auth.rs | Adds region() helper on AwsAuthentication |
| changelog.d/23338.feature.md | Adds changelog entry for AWS auth feature |
Comments suppressed due to low confidence (1)
src/aws/auth.rs:372
- The new
region()helper onAwsAuthenticationcovers various enum variants. Adding unit tests for each variant would ensure region extraction remains correct under future changes.
pub fn region(&self) -> Option<Region> {
pront
reviewed
Jul 7, 2025
pront
force-pushed
the
master
branch
4 times, most recently
from
1720078 to
ffe54be
Compare
pront
added
the
meta: awaiting author
github-actions
bot
removed
the
meta: awaiting author
|
Please resolve the merge conflicts and we will take a look |
thomasqueirozb
added
the
meta: awaiting author
github-actions
bot
removed
the
meta: awaiting author
Thanks, merged master back into my branch - the reorg of the imports has broken git, I try to keep changes to existing code to a minimum in a PR. |
pront
approved these changes
Sep 29, 2025
| } | ||
| } | ||
|
|
||
| async fn prepare_request(auth: Option<Auth>, request: Request<Body>) -> Request<Body> { |
There was a problem hiding this comment.
With a little bit of refactoring this can be:
async fn prepare_request(auth: Option<Auth>, request: Request<Body>) -> Request<Body> {
match auth {
#[cfg(feature = "aws-core")]
Some(Auth::Aws { auth, service: _ }) => sign_aws_request(auth, request).await,
_ => request,
}
}
There was a problem hiding this comment.
So, move the Some branch to a new function?
thomasqueirozb
added
source: http_client
github-actions
bot
removed
the
meta: awaiting author
Co-authored-by: Pavlos Rontidis <[email protected]>
Co-authored-by: Pavlos Rontidis <[email protected]>
pront
reviewed
Nov 5, 2025
There was a problem hiding this comment.
Hi @johannesfloriangeiger, thanks again for this PR. Left some comments. The only real concern is that this is not tested anywhere in the codebase.
| let region = auth | ||
| .region() | ||
| .or(default_region) | ||
| .expect("Region must be specified"); |
There was a problem hiding this comment.
Replace all expect() calls (excluding those in test code) with proper error propagation.
Comment on lines
+303
to
+310
| let default_region = crate::aws::region_provider(&ProxyConfig::default(), None) | ||
| .expect("Region provider must be available") | ||
| .region() | ||
| .await; | ||
| let region = auth | ||
| .region() | ||
| .or(default_region) | ||
| .expect("Region must be specified"); |
There was a problem hiding this comment.
Nit: introduce a helper and use it here and also while in config build()
pub async fn resolve_region_from_auth(
auth: &AwsAuthentication,
proxy_config: &ProxyConfig,
tls_config: Option<&TlsConfig>,
) -> crate::Result<Region> {
if let Some(region) = auth.region() {
return Ok(region);
}
region_provider(proxy_config, tls_config)?
.region()
.await
.ok_or_else(|| {
"AWS region must be specified either in auth config or via environment/config".into()
})
}| } | ||
| } | ||
|
|
||
| async fn prepare_request(auth: Option<Auth>, request: Request<Body>) -> Request<Body> { |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
See title, enables AWS authentication for the http_client source.
Vector configuration
How did you test this PR?
Manually. Get yourself an AWS Account, create an Amazon Managed Service for Prometheus workspace, get the Endpoint - query URL and use it in the config above. Run Vector and see it working (and not failing with a 403 like the current version).
Change Type
Is this a breaking change?
Does this PR include user facing changes?
no-changeloglabel to this PR.References
Notes
@vectordotdev/vectorto reach out to us regarding this PR.pre-pushhook, please see this template.cargo fmt --allcargo clippy --workspace --all-targets -- -D warningscargo nextest run --workspace(alternatively, you can runcargo test --all)git merge origin masterandgit push.Cargo.lock), pleaserun
cargo vdev build licensesto regenerate the license inventory and commit the changes (if any). More details here.