AWS Signature V4 signing for Bedrock + any other AWS service. Implements the canonical-request → string-to-sign → derived-key → signature flow defined in: https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
Public entry point is sign-request — give it an unsigned request map {:method :url :headers :body} plus credentials + region + service and it returns the same map with Authorization + x-amz-date + x-amz-content-sha256 + x-amz-security-token (when present) injected.
No external AWS SDK dep — uses JDK crypto only.
AWS Signature V4 signing for Bedrock + any other AWS service.
Implements the canonical-request → string-to-sign → derived-key →
signature flow defined in:
https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
Public entry point is sign-request — give it an unsigned request map
{:method :url :headers :body} plus credentials + region + service and
it returns the same map with Authorization + x-amz-date +
x-amz-content-sha256 + x-amz-security-token (when present) injected.
No external AWS SDK dep — uses JDK crypto only.(canonical-headers headers)Header block + signed-headers list. Returns [canonical-block signed-list].
Header block + signed-headers list. Returns [canonical-block signed-list].
(canonical-query-string query)Canonical query string: name=value pairs URL-encoded and sorted by name, then by value. Accepts a map or a raw query string.
Canonical query string: name=value pairs URL-encoded and sorted by name, then by value. Accepts a map or a raw query string.
(canonical-request method url headers body)Build canonical request string per SigV4. Returns [canonical-request signed-headers payload-hash].
Build canonical request string per SigV4. Returns [canonical-request signed-headers payload-hash].
(canonical-uri path)Canonical URI per SigV4: each path segment URL-encoded, slashes preserved. Empty path is canonicalized to '/'.
Canonical URI per SigV4: each path segment URL-encoded, slashes preserved. Empty path is canonicalized to '/'.
(credential-scope short-date region service){short-date}/{region}/{service}/aws4_request
{short-date}/{region}/{service}/aws4_request
(discover-credentials)Pick up AWS credentials from the environment. Returns {:access-key-id :secret-access-key :session-token :region}. AWS_REGION wins over AWS_DEFAULT_REGION.
Pick up AWS credentials from the environment.
Returns {:access-key-id :secret-access-key :session-token :region}.
AWS_REGION wins over AWS_DEFAULT_REGION.(maybe-sign profile req)If the provider profile uses AWS SigV4, pre-serialize the body, sign, and return the signed request. Otherwise pass-through. Reads region/service hints off the request map at the bedrock-namespaced keys (:llm.sdk.providers.bedrock/aws-service / :aws-region) and the profile's :profile/aws-service fallback.
Throws ex-info if SigV4 is required but AWS_ACCESS_KEY_ID is missing.
If the provider profile uses AWS SigV4, pre-serialize the body, sign, and return the signed request. Otherwise pass-through. Reads region/service hints off the request map at the bedrock-namespaced keys (:llm.sdk.providers.bedrock/aws-service / :aws-region) and the profile's :profile/aws-service fallback. Throws ex-info if SigV4 is required but AWS_ACCESS_KEY_ID is missing.
(sha256-hex data)Hex-encoded SHA-256 of a string or byte array.
Hex-encoded SHA-256 of a string or byte array.
(sign-request {:keys [method url headers body]}
{:keys [access-key-id secret-access-key region service
session-token now body-bytes]})Inject SigV4 auth headers into an unsigned request map.
Required keys: :method http verb keyword :url full URL :headers map (will be augmented; existing :host added if missing) :body string payload (may be nil)
Required opts: :access-key-id string :secret-access-key string :region e.g. "us-east-1" :service e.g. "bedrock" Optional: :session-token STS session token (adds x-amz-security-token) :now java.util.Date (defaults to current time) :body-bytes pre-serialized body if :body is non-string
Inject SigV4 auth headers into an unsigned request map. Required keys: :method http verb keyword :url full URL :headers map (will be augmented; existing :host added if missing) :body string payload (may be nil) Required opts: :access-key-id string :secret-access-key string :region e.g. "us-east-1" :service e.g. "bedrock" Optional: :session-token STS session token (adds x-amz-security-token) :now java.util.Date (defaults to current time) :body-bytes pre-serialized body if :body is non-string
cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |