Is it possible to validate a aws v4 signature?

Question

I have an API served over apigateway, that uses AWS_IAM authentication. I'm looking to use a lambda authorizer so I can implement custom authorization. I realize that I could use cognito or a custom OAuth application, and have my client send relevant auth tokens.

However my current client already sends a AWS v4 signature (for the AWS_IAM implementation), can I use that to identify the user and verify that the signature is valid?

The token received in the authorizer lambda looks like this:

AWS4-HMAC-SHA256 Credential=ASIASLKDFSLKDF923C/20200408/us-east-1/execute-api/aws4_request, SignedHeaders=host;x-amz-date;x-amz-security-token, Signature=2c65e09dedasdfasdfwfewfa592a60bcc2623296174e78780a2caad

Answer 1

There are a couple samples of data in AWS documentation that could be useful for you to test your code.

Example: https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-post-example.html

Answer 2

I don't think so. You can find more information about how the signature process works here.

But to save you a click, the signature is created using a hash function. In that case you don't have any way to derive the original value from the signature that you received. It is by design.

That eliminates the possibility of you identity the user that signed the request.

You could potentially validate the signature. But this is not applicable to AWS Environment. That is because to be able to validate the signature you should know the user that sent the request and, knowing that, get access to his AWS_ACCESS_KEY and AWS_SECRET_ACCESS_KEY. With both information you could try to recreate the signature based on the request that you received and compare with it's signature.

But I'm pretty sure that you won't find any legal means to get access to that kind of information...