Signature4 signing for elastic search in aws

Question

I'm using the aws managed elasticsearch/ I'm using the high-level java client for elastic search. Is there a way to use aws signature4 signing for the requests made with the high-level client?

Answer 1

Adding appropriate headers and signing calculations to your request is more than enough. Read this documentation - Signature V4 - examples using SDKs

Example code snippet:

import net.xxx.awsutils.signing.auth.AWS4SignerBase;

import net.xxx.awsutils.signing.auth.AWS4SignerForAuthorizationHeader;

import net.xxx.awsutils.signing.util.BinaryUtils;

import java.net.MalformedURLException;

import java.net.URL;

import java.util.HashMap;

import java.util.Map;

/**

 * A utility for calculating an AWS Signature Version 4 signature headers for requests. See

 * http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-examples-using-sdks.html for the full description.

 *

 * @author xxx

 */

public class SigningUtility {

    /**

     * Build the authorization headers to be added to the service request. 

     * 

     * @param regionName AWS region

     * @param url service URL

     * @param awsAccessKey AWS access key

     * @param awsSecretKey AWS secret key

     * @param messageBody the message body for POSTs

     * @param httpMethod the HTTP verb used for this message (GET, POST, etc)

     * @param serviceName the AWS service (s3, execite-api, ...)

     * @return authorisation headers to add to the request.

     */

    public Map<String, String> getAuthorisationHeader(String regionName, String url, String awsAccessKey, String awsSecretKey, 

                                                      String messageBody, String httpMethod, String serviceName) {

        URL endpointUrl;

        try {

            endpointUrl = new URL(url);

        } catch (MalformedURLException e) {

            throw new RuntimeException("Unable to parse service endpoint: " + e.getMessage());

        }

        String contentHashString;

        Map<String, String> headers = new HashMap<>();

        if ("POST".equals(httpMethod)) {

            // precompute hash of the body content

            byte[] contentHash = AWS4SignerBase.hash(messageBody);

            contentHashString = BinaryUtils.toHex(contentHash);

            headers.put("x-amz-content-sha256", contentHashString);

            headers.put("content-length", "" + messageBody.length());

        } else if ("GET".equals(httpMethod)) {

            contentHashString = AWS4SignerBase.EMPTY_BODY_SHA256;

            // for a simple GET, we have no body so supply the precomputed 'empty' hash

            headers.put("x-amz-content-sha256", AWS4SignerBase.EMPTY_BODY_SHA256);

        } else {

            throw new UnsupportedOperationException("This utility only supports GET and POST HTTP verbs for now");

        }

        AWS4SignerForAuthorizationHeader signer = new AWS4SignerForAuthorizationHeader(

                endpointUrl, httpMethod, serviceName, regionName);

        String authorisation = signer.computeSignature(headers,

                null, // assume no query parameters

                contentHashString,

                awsAccessKey,

                awsSecretKey);

        headers.put("Authorization", authorisation);

        return headers;

    }

} 

The part will be finding the service name, and in the ElasticSearch case, it is es.