Directive Reference

aws_key_scope

Defines the scope of the AWS signing key used for authenticating requests to AWS services.

NGINX module to proxy to authenticated AWS services · httpserverlocation
Syntaxaws_key_scope scope;
Defaultnone
Contexthttp, server, location
Arguments1

Description

The aws_key_scope directive in NGINX's AWS authentication module specifies the scope for the signing key generated for AWS services. This scope is essential for correctly signing requests according to AWS's Signature Version 4 process. It usually includes the date, region, and service, formatted as YYYYMMDD/region/service/aws4_request. Using the correct scope ensures that the authorization mechanism can validate the request against the desired AWS service endpoint. By setting this directive at the http, server, or location context level, users can configure varying scopes for different segments of their application, accommodating diverse service endpoints or regions.

When a request is made, NGINX utilizes this scope along with the generated signing key to create a properly signed request that S3 can authenticate. The key scope helps isolate the signing keys, making it easier to manage security and access control. As AWS signing keys are considered sensitive information, it is good practice to ensure that they are managed securely and refreshed regularly, as they are only valid for a limited time, typically one week.

In summary, this directive is crucial for effectively setting up NGINX as a proxy for AWS services, particularly S3, ensuring that the requests are authenticated correctly and that sensitive information such as access keys and signing keys are not exposed unnecessarily.

Config Example

server {
    listen 8000;
    aws_access_key your_aws_access_key;
    aws_key_scope 20150830/us-east-1/service/aws4_request;
    aws_signing_key signing_key_generated_using_script;
    aws_s3_bucket your_s3_bucket;

    location / {
        aws_sign;
        proxy_pass http://your_s3_bucket.s3.amazonaws.com;
    }
}

Ensure the format of the key scope string matches the required AWS format: YYYYMMDD/region/service/aws4_request.

Be cautious with the key's validity; signing keys need to be refreshed frequently.

Avoid exposing your AWS access and signing keys in publicly accessible configurations.

Related Directives

aws_access_keyaws_signing_keyaws_endpointaws_s3_bucket
← Back to all directives