You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat(aws): real SigV4 signing for the 8 AWS-family connectors (#118)
Self-contained AWS4-HMAC-SHA256 signer (node:crypto, no SDK) wired into the declarative-REST path via credentialPlacement 'aws-sigv4'. Credentials = JSON bundle {accessKeyId,secretAccessKey,region[,sessionToken,endpoint]} in the api-key field; region drives the {region} host template. KAT-pinned (IAM ListUsers + S3 GetObject). Follow-ups: #120, #121, #122. Closes#113.
description: 'Invoke AWS Bedrock foundation models for text generation, image analysis, image generation, and embeddings; list available foundation models.',
20
-
auth: {kind: 'api-key',hint: 'AWS access key id / secret access key pair (the connection should also carry metadata.region; requests are signed with AWS Signature V4 at the gateway).'},
23
+
auth: {kind: 'api-key',hint: 'AWS credentials as JSON: {"accessKeyId":"AKIA…","secretAccessKey":"…","region":"us-east-1"}. Optional "sessionToken" and "endpoint". Requests are signed with AWS Signature V4; the region selects the bedrock-runtime.<region>.amazonaws.com endpoint.'},
21
24
category: 'other',
22
25
// Bedrock model invocations are non-idempotent generative calls; the manifest
23
26
// surfaces are advisory (best-effort), not authoritative state.
24
27
defaultConsistencyModel: 'advisory',
25
28
// bedrock-runtime is the workhorse endpoint for invoke/converse. Control-plane
26
29
// listing operations override the host on a per-capability basis below.
description: 'Scalable storage in the cloud. Read, upload, delete, and manage files in S3 buckets.',
7
7
auth: {
8
8
kind: 'api-key',
9
-
hint: 'AWS Access Key ID and Secret Access Key. Provide credentials for IAM user with S3 permissions.',
9
+
hint: 'AWS credentials as JSON: {"accessKeyId":"AKIA…","secretAccessKey":"…","region":"us-east-1"} for an IAM principal with S3 permissions. Optional "sessionToken" and "endpoint" (S3-compatible stores). Requests are signed with AWS Signature V4; the region selects the s3.<region>.amazonaws.com endpoint.',
10
10
},
11
11
category: 'storage',
12
12
defaultConsistencyModel: 'authoritative',
13
-
baseUrl: 'https://s3.amazonaws.com',
13
+
// S3 REST API, path-style. Each request is signed with AWS Signature V4
14
+
// (service `s3`, which signs the request path verbatim); the bundle's region
15
+
// is substituted into the `{region}` host template.
'Create, read, update, find, and delete secrets in AWS Secrets Manager, or generate a random password.',
11
13
auth: {
12
14
kind: 'api-key',
13
-
hint: 'AWS access key id + secret access key + region (api-key field carries the SigV4 credential bundle).',
15
+
hint: 'AWS credentials as JSON: {"accessKeyId":"AKIA…","secretAccessKey":"…","region":"us-east-1"}. Optional "sessionToken" and "endpoint". Requests are signed with AWS Signature V4; the region selects the secretsmanager.<region>.amazonaws.com endpoint.',
description: 'Send transactional and templated email and manage SES email templates via the Amazon SES v2 REST API.',
21
21
auth: {
22
22
kind: 'api-key',
23
-
hint: 'AWS access key ID + secret access key with ses:SendEmail / ses:SendTemplatedEmail / template-management permissions. The region selects the SES endpoint (e.g. us-east-1).',
23
+
hint: 'AWS credentials as JSON: {"accessKeyId":"AKIA…","secretAccessKey":"…","region":"us-east-1"} (the key needs ses:SendEmail / ses:SendTemplatedEmail / template-management permissions). Optional "sessionToken" and "endpoint". Requests are signed with AWS Signature V4; the region selects the email.<region>.amazonaws.com (SES v2) endpoint.',
24
24
},
25
25
category: 'comms',
26
26
defaultConsistencyModel: 'authoritative',
27
-
baseUrl: {metadataKey: 'endpoint'},
27
+
// SES v2 REST API: the SigV4 signing name is `ses`, but the regional host is
28
+
// the `email.` subdomain. metadata.endpoint still overrides when a tenant
'Publish messages to Amazon Simple Notification Service topics, manage topics, and manage subscriptions.',
14
14
auth: {
15
15
kind: 'api-key',
16
-
hint: 'AWS access key id + secret access key + region (api-key field carries the SigV4 credential bundle).',
16
+
hint: 'AWS credentials as JSON: {"accessKeyId":"AKIA…","secretAccessKey":"…","region":"us-east-1"}. Optional "sessionToken" and "endpoint". Requests are signed with AWS Signature V4; the region selects the sns.<region>.amazonaws.com endpoint.',
'Send, receive, and delete messages on AWS SQS queues, and discover queue URLs and attributes.',
20
21
auth: {
21
22
kind: 'api-key',
22
-
hint: 'AWS access key id + secret access key + region (api-key field carries the SigV4 credential bundle; metadata.endpoint may override the regional host).',
23
+
hint: 'AWS credentials as JSON: {"accessKeyId":"AKIA…","secretAccessKey":"…","region":"us-east-1"}. Optional "sessionToken" (STS temp creds) and "endpoint" (override host). Requests are signed with AWS Signature V4; the region selects the sqs.<region>.amazonaws.com endpoint.',
23
24
},
24
25
category: 'other',
25
26
// SQS is an at-least-once durable queue: sends, deletes, and queue-attribute
26
27
// reads are authoritative against the service. Receive returns a transient
27
28
// visibility-locked view, but the queue state itself is authoritative.
'Extract text, forms, tables, signatures, and structured data (expense, identity) from documents using AWS Textract.',
25
27
auth: {
26
28
kind: 'api-key',
27
-
hint: 'AWS access key id + secret access key + region (api-key field carries the SigV4 credential bundle; the gateway signs each request).',
29
+
hint: 'AWS credentials as JSON: {"accessKeyId":"AKIA…","secretAccessKey":"…","region":"us-east-1"}. Optional "sessionToken" and "endpoint". Requests are signed with AWS Signature V4; the region selects the textract.<region>.amazonaws.com endpoint.',
0 commit comments