aws_signing_key

The aws_signing_key directive is part of the NGINX module that facilitates proxying requests to authenticated AWS services such as S3. This directive takes a single argument, which is the precalculated signing key. The signing key is an output of a cryptographic procedure designed to authenticate requests as specified by AWS's signature version 4 signing process.

When configuring NGINX to interact with AWS services, it's critical to securely handle the signing key. The signing key should not be confused with AWS’s secret access key; it is specifically generated for authentication for a limited duration (usually valid for one week). To avoid potential security risks, it's generally advised to not store the AWS secret key on the NGINX server. Instead, a secure system should be used to manage and distribute signing keys as needed. The aws_signing_key directive must be set correctly to ensure successful authentication of requests; otherwise, the requests will fail to authenticate when sent to AWS.

This directive can be used within various contexts: http, server, and location, allowing flexibility in configuration depending on how the AWS services are accessed. When combined with other directives such as aws_access_key, aws_key_scope, and aws_endpoint, it forms a comprehensive configuration for managing AWS service authentication. Note that because this module does not check the presence of signing keys, skipping this configuration can lead to access errors, particularly if requests are made to secure endpoints on AWS.