feat: generate 1-click signed login URL for OpenSearch UI

kylehounslow · kylehounslow · commit 18fe07e83884 · 2026-04-02T10:33:39.000-07:00
After setup, generates a SigV4-signed /_login/ URL that opens the
Application directly in the browser without additional auth. URL
expires in 5 minutes. Uses the same approach as cliu123/SigV4-Signer.

Signed-off-by: Kyle Hounslow &lt;kylhouns@amazon.com&gt;
diff --git a/aws/cli-installer/src/main.mjs b/aws/cli-installer/src/main.mjs
@@ -1,4 +1,5 @@
 import { writeFileSync } from 'node:fs';
+import { createHash } from 'node:crypto';
 import { parseCli, applySimpleDefaults, validateConfig, fillDryRunPlaceholders } from './cli.mjs';
 import { renderPipeline } from './render.mjs';
 import {
@@ -87,6 +88,54 @@ export async function run() {
  * Execute the full pipeline creation flow.
  * Shared by the CLI path (main.mjs) and the REPL create command.
  */
+async function generateSignedLoginUrl(appEndpoint, region) {
+  try {
+    const { SignatureV4 } = await import('@aws-sdk/signature-v4');
+    const { Sha256 } = await import('@aws-crypto/sha256-js');
+    const { HttpRequest } = await import('@smithy/protocol-http');
+    const { defaultProvider } = await import('@aws-sdk/credential-provider-node');
+
+    const parsed = new URL(appEndpoint);
+    const signer = new SignatureV4({
+      credentials: defaultProvider(),
+      region,
+      service: 'opensearch',
+      sha256: Sha256,
+    });
+
+    const request = new HttpRequest({
+      method: 'GET',
+      protocol: 'https:',
+      hostname: parsed.hostname,
+      path: '/_login/',
+      headers: { host: parsed.hostname },
+    });
+
+    const signed = await signer.sign(request);
+    const auth = signed.headers['authorization'];
+    const amzDate = signed.headers['x-amz-date'];
+    const token = signed.headers['x-amz-security-token'];
+
+    let credential = '', signedHeaders = '', signature = '';
+    for (const p of auth.split(', ')) {
+      if (p.includes('Credential=')) credential = p.split('Credential=')[1];
+      if (p.includes('SignedHeaders=')) signedHeaders = p.split('SignedHeaders=')[1];
+      if (p.includes('Signature=')) signature = p.split('Signature=')[1];
+    }
+
+    const params = new URLSearchParams({
+      'X-Amz-Date': amzDate,
+      'X-Amz-Algorithm': 'AWS4-HMAC-SHA256',
+      'X-Amz-Credential': credential,
+      'X-Amz-SignedHeaders': signedHeaders,
+    });
+    if (token) params.set('X-Amz-Security-Token', token);
+    params.set('X-Amz-Signature', signature);
+
+    return `https://${parsed.hostname}/_login/?${params.toString()}`;
+  } catch { return null; }
+}
+
 export async function executePipeline(cfg) {
   await checkRequirements(cfg);
   printSummary(cfg);
@@ -187,6 +236,16 @@ export async function executePipeline(cfg) {
     '',
   ], { color: 'primary', padding: 2 });
 
+  // Generate a signed 1-click login URL (expires in 5 min)
+  if (cfg.appEndpoint) {
+    const signedUrl = await generateSignedLoginUrl(cfg.appEndpoint, cfg.region);
+    if (signedUrl) {
+      console.error();
+      printInfo('1-click login URL (expires in 5 minutes):');
+      console.error(`  ${signedUrl}`);
+    }
+  }
+
 }
 
 // ── Summary ─────────────────────────────────────────────────────────────────
