feat: add AWS SigV4 proxy integration #5041
Conversation
![propel-code-bot[bot]](https://avatars.githubusercontent.com/in/1179004?s=60&v=4){kind=small}
|
|
||
| ## Access requirements | ||
|
|
||
| | Pre-Requisites | Status | Comment| |
There was a problem hiding this comment.
[Documentation]
Fix spelling: change "Pre-Requisites" to "Prerequisites".
Context for Agents
[**Documentation**]
Fix spelling: change "Pre-Requisites" to "Prerequisites".
File: docs/integrations/all/aws-sigv4.mdx
Line: 18| | Tools | Status | | ||
| | - | - | | ||
| | HTTP request logging | ✅ | | ||
| | End-to-type type safety | ✅ | |
There was a problem hiding this comment.
[Documentation]
Fix typo: "End-to-type type safety" should be "End-to-end type safety".
Context for Agents
[**Documentation**]
Fix typo: "End-to-type type safety" should be "End-to-end type safety".
File: docs/snippets/generated/aws-sigv4/PreBuiltTooling.mdx
Line: 26| | Pre-configured rate-limit handling | 🚫 (time to contribute: <48h) | | ||
| | Per-customer configurations | ✅ | | ||
| </Accordion> | ||
| </AccordionGroup> No newline at end of file |
There was a problem hiding this comment.
[Documentation]
Add a newline at the end of the file to avoid the “No newline at end of file” marker.
Context for Agents
[**Documentation**]
Add a newline at the end of the file to avoid the “No newline at end of file” marker.
File: docs/snippets/generated/aws-sigv4/PreBuiltTooling.mdx
Line: 40
|
A few questions:
|
Our users would have to run the STS helper service |
With some cross-account sts assume role policy I imagine. I guess that what the cloudformation template is setting up. I would like to see the intended template. |
|
The intent is that the Nango customer runs their own STS helper container in their AWS account; it assumes roles on behalf of their end customers. That keeps Nango out of operating that lifecycle and cleanly separates responsibilities. Nango could optionally “provide” a boilerplate service, but only as a contract/example (see https://github.com/nickvelloff/nango-sts-boilerplate). It’s deliberately simple. CloudFormation templates are owned/hosted by the customer because they reflect their specific role needs. The only requirement is that the template URL is publicly readable (CORS-friendly) so the UI can hydrate parameters. Nango could host a few generic templates as defaults, but that’s just a nice-to-have. We assume anyone needing this enterprise-style integration already has the CloudFormation/DevOps maturity to host their own templates. Cloudformation template example (https://raw.githubusercontent.com/nickvelloff/nango-sts-boilerplate/refs/heads/main/infra/cloudformation/s3-readonly.json) - simply hosted publicly. Importantly: This file explains the usage and validation flows a customer would want to leverage when setting this up - https://github.com/nickvelloff/nango-sts-boilerplate/blob/main/docs/aws-sigv4-e2e-validation.md |
fix: add missing AWS SigV4 error types and type fixes
|
|
||
| ## Access requirements | ||
|
|
||
| | Pre-Requisites | Status | Comment| |
There was a problem hiding this comment.
[Documentation]
Fix table header formatting so the third column reads Comment without the trailing pipe character.
Context for Agents
[**Documentation**]
Fix table header formatting so the third column reads `Comment` without the trailing pipe character.
File: docs/integrations/all/aws-sigv4.mdx
Line: 18
|
This PR is stale because it has been open for 30 days with no activity. |
|
|
||
| To finish connecting an AWS SigV4 integration, you (the end customer) need: | ||
|
|
||
| 1. **Access to your AWS account** – enough permission to deploy the CloudFormation template (or equivalent) your vendor provides. |
There was a problem hiding this comment.
[Documentation] Grammar: change "enough permission" to "enough permissions."
Context for Agents
[**Documentation**]
Grammar: change "enough permission" to "enough permissions."
File: docs/integrations/all/aws-sigv4/connect.mdx
Line: 10| @@ -0,0 +1,5 @@ | |||
| ## Pre-built integrations | |||
|
|
|||
| _No pre-built integration yet (time to contribute: <48h)_ | |||
There was a problem hiding this comment.
[Documentation] Match the heading by pluralizing: change "No pre-built integration yet" to "No pre-built integrations yet."
Context for Agents
[**Documentation**]
Match the heading by pluralizing: change "No pre-built integration yet" to "No pre-built integrations yet."
File: docs/snippets/generated/aws-sigv4/PreBuiltUseCases.mdx
Line: 3|
|
||
| post: | ||
| operationId: postAuthAwsSigV4 | ||
| summary: Create an integration |
There was a problem hiding this comment.
[Documentation] The operationId postAuthAwsSigV4 does not match this generic "Create an integration" endpoint and makes the spec misleading. Please restore a generic name (e.g., the previous value) and reserve the SigV4-specific operationId for the new /auth/aws-sigv4/{providerConfigKey} route.
Context for Agents
[**Documentation**]
The `operationId` `postAuthAwsSigV4` does not match this generic "Create an integration" endpoint and makes the spec misleading. Please restore a generic name (e.g., the previous value) and reserve the SigV4-specific operationId for the new `/auth/aws-sigv4/{providerConfigKey}` route.
File: docs/spec.yaml
Line: 95| <Step title="Collect Role ARN & optional region during Connect"> | ||
| 1. Create a Connect session as usual. You can optionally pre-fill credential fields via `integrations_config_defaults` (see <a href="#pre-populating-credential-values">Pre-populating credential values</a>). | ||
| 2. The Connect UI shows your instructions, a one-click button for each template, **and a generated External ID**. Ask the customer to copy that External ID into their IAM trust policy before finishing the flow. | ||
| 3. When the end customer submits the form, Nango generates a unique ExternalId, calls your STS endpoint, tests the credentials via `GetCallerIdentity`, and stores a refreshable SigV4 credential. |
There was a problem hiding this comment.
[Documentation] Use consistent casing for the external ID. This line says "ExternalId" but the rest of the guide uses "External ID"/external_id. Update it to "External ID" (or external_id) for consistency.
Context for Agents
[**Documentation**]
Use consistent casing for the external ID. This line says "ExternalId" but the rest of the guide uses "External ID"/`external_id`. Update it to "External ID" (or `external_id`) for consistency.
File: docs/integrations/all/aws-sigv4.mdx
Line: 485 participants
Summary
Testing
Feature: AWS SigV4 Proxy Integration
This pull request introduces a new first-class 'AWS SigV4' provider, enabling proxy integrations with any AWS service through automatically signed requests. This is a comprehensive, full-stack feature that adds a new authentication flow to the backend, including a dedicated controller for handling sessions and fetching temporary credentials from customer-hosted STS endpoints. It also includes a shared service for SigV4 request signing, propagates the new
AWS_SIGV4authentication type across all SDKs and shared packages, and implements new UI components for both configuring the integration in the Nango dashboard and for the end-user connection flow in Connect UI.The change is designed to be backward-compatible but introduces a new
AuthTypeenum value. This allows Nango to securely proxy requests to AWS services without ever storing long-lived customer credentials, significantly enhancing security for AWS integrations.Key Changes
• Introduced a new
aws-sigv4provider inproviders.yamland the OpenAPI specification.• Added a new backend controller at
/auth/aws-sigv4inpackages/server/lib/controllers/auth/postAwsSigV4.tsto manage the authentication flow, including session creation, validation, and fetching temporary credentials.• Implemented a shared proxy service in
packages/shared/lib/services/proxy/aws-sigv4.tsfor building canonical requests and injecting SigV4Authorizationheaders.• Extended the
AuthTypeenum withAWS_SIGV4and propagated this change across@nangohq/types, the backend, and various SDKs.• Developed a new UI section in
packages/webapp/.../General.tsxfor configuring AWS SigV4 integrations, including settings for the STS endpoint, AWS service, default region, and dynamic management of CloudFormation templates.• Updated the Connect UI in
packages/connect-ui/src/views/Go.tsxto handle theAWS_SIGV4auth flow, providing inputs for IAM Role ARN and region, and displaying one-click CloudFormation deployment options.• Added comprehensive documentation for the new AWS SigV4 provider in
docs/integrations/all/aws-sigv4.mdx.• Included new unit tests for the SigV4 signing logic and integration tests for the new backend endpoints.
Affected Areas
• Backend Authentication (
packages/server/lib/controllers/auth/)• Shared Services (
packages/shared/lib/services/proxy/,packages/shared/lib/auth/)• Type Definitions (
packages/types/)• Webapp UI (
packages/webapp/src/pages/Integrations/)• Connect UI (
packages/connect-ui/src/views/)• Node SDK (
packages/node-client/)• Runner SDK (
packages/runner-sdk/)• API Specification (
docs/spec.yaml)• Documentation (
docs/)This summary was automatically generated by @propel-code-bot