Directive Reference

aws_access_key

The 'aws_access_key' directive specifies the AWS access key to authenticate requests to AWS services.

NGINX module to proxy to authenticated AWS services · httpserverlocation
Syntaxaws_access_key your_aws_access_key;
Defaultnone
Contexthttp, server, location
Arguments1

Description

The 'aws_access_key' directive is utilized in NGINX configurations to designate the AWS access key required for authenticating requests to AWS services, particularly when using S3 through the AWS V4 authentication protocol. This key serves as a crucial part of the credentials needed to generate a signing key, which is used to authorize and sign requests to AWS endpoints, ensuring secure access to resources.

The directive expects a single argument, which is the AWS access key ID. It can be defined in various contexts such as 'http', 'server', and 'location', allowing flexible configurations depending on the desired scope of authentication. The access key provided must be valid and associated with an identity that has permissions to perform actions on the associated S3 bucket or other specified AWS resources. Proper management of the access key, including securing it against unauthorized access, is essential for maintaining the security of the AWS account.

When the server receives requests, the module automatically incorporates the 'aws_access_key' along with other configured parameters, such as the signing key and key scope, to authenticate the requests to the respective AWS service endpoints. This allows for seamless integration of NGINX as a proxy for AWS services while maintaining robust security through the use of signed requests, which reduce the risk of exposing sensitive credentials directly in the server configuration.

Config Example

server {
    listen     8000;

    aws_access_key your_aws_access_key;  # Example: AKIDEXAMPLE
    aws_key_scope scope_of_generated_signing_key;  # Example: 20150830/us-east-1/service/aws4_request
    aws_signing_key signing_key_generated_using_script;  # Example: L4vRLWAO92X5L3Sqk5QydUSdB0nC9+1wfqLMOKLbRp4=
    aws_s3_bucket your_s3_bucket;

    location / {
        aws_sign;
        proxy_pass http://your_s3_bucket.s3.amazonaws.com;
    }
}

Ensure the access key is not hard-coded in publicly accessible configuration files to prevent exposure.

Always refresh the signing key regularly as it is valid for only one week; failing to do so will result in authentication errors.

When deploying configurations across multiple servers, ensure that the AWS access key is synchronized appropriately.

Related Directives

aws_key_scopeaws_signing_keyaws_endpointaws_s3_bucket
← Back to all directives