AWS 签名算法SigV4 的python实现

最近测试bedrock API。用它验证签名。

python 复制代码
#!/usr/bin/env python
# coding=utf-8

import hashlib
import hmac

# 定义函数:生成 SHA256 哈希
def sha256_hash(data):
    return hashlib.sha256(data.encode('utf-8')).hexdigest()

# 定义函数:HMAC-SHA256 签名
def sign(key, msg):
    return hmac.new(key, msg.encode('utf-8'), hashlib.sha256).digest()

# 定义函数:生成签名密钥
def get_signature_key(secret_key, date_stamp, region_name, service_name):
    k_date = sign(('AWS4' + secret_key).encode('utf-8'), date_stamp)
    k_region = sign(k_date, region_name)
    k_service = sign(k_region, service_name)
    k_signing = sign(k_service, 'aws4_request')
    return k_signing

# 1. 规范请求
http_method = "POST"
canonical_uri = "/model/us.anthropic.claude-3-5-sonnet-20241022-v2%3A0/converse"
canonical_querystring = ""  # 空查询字符串
payload_hash = sha256_hash("{\"messages\":[{\"role\":\"user\",\"content\":[{\"text\":\"Provide general steps to debug a BSOD on a Windows laptop.\"}]}],\"system\":[{\"text\":\"You are a tech support expert who helps resolve technical issues. Signal SUCCESS if you can resolve the issue, otherwise FAILURE\"}],\"inferenceConfig\":{\"stopSequences\":[\"SUCCESS\",\"FAILURE\"]},\"additionalModelRequestFields\":{\"top_k\":200}}")  # 空 JSON 请求体的哈希值
print("payload_hash:\n"+payload_hash)

canonical_headers = (
    "host:bedrock-runtime.us-east-1.amazonaws.com\n"
    "x-amz-date:20250122T092741Z\n"
    "x-amz-security-token:IQoJb3JpZ2luX2VjENL//wEaCXVzLWVhc3QtMSJHMEUCIFUZwfu0CLXeFAD0WEWchvmxEx+iVxRNL1Q17ti0SwwcAiEAoOeBi0ocqsTkQNFcpYaer3e/B0l3agWrUFlBjw262NcqkgMIy///ARAAGgwwMDM4MzM5ODk3NDQiDECroDnHWInBWYPNdyrmAsgweKDdPZPmU507A9prUbnTW5aE7HeS3BXFbXODqMCmtv1EVDINli1DuIYfY08rVyne50o9AtpqMgJd27mE9QCS9cfDsCAH+KQfBiyVmoDPiSGiEBhnt/GB/t8lg3uOug8AyF+/+YEi12xNkHfhF3sM5y1HdVllXp1VjHpBq1UIZsMh2/kuFnQ+8L9ylO1pUeK5LA+XqfBEwRUrq4LrThS6uPoxOzj5BuMOzWIFRxVdbGYCAgOIv5iVz9I1on30i6ezNlXspc6UcbSY/+rTi72WvDt9nc6wYRVNFy+dNM8QdZv/UkU9IrRerXzyIibSmHSJbgeSfw2iX7ATD6A8aWBzYmSzuj+oh2ztK/8yZq6iCQVkNvxsV6aWQFZJOC6nyV3aKGyDdt8RT8pjBk6n0YBfRs/eWx3gvr4gUhdkJUyLntn5O53ri9RRrQx1YS18rN4w/U6MvSDwKJAu20kSJYAO8o2neAowhZTBvAY6pwHq3PbSD19+Z109czCYImCN4AbvuZv7F55ISFaHJz2L4Q6OuoBM2Wi+MSjuHE9bw2Jz+xRfBsrRwAhru/gjwWTp0yqrQrlOCCn47I/cQwnKYoaGi1m9BRIDJiKz0d7mieBIovHrn7ajB6yKbRWdyWYflj2oARC7Qz3m6zEuT04GEKewQWADoZ1B0YPIxMdeljvgcMJJpqaR0kuqeUi5UcQmvIW2FLenLQ==\n"
)

signed_headers = "host;x-amz-date;x-amz-security-token"

canonical_request = (
    f"{http_method}\n"
    f"{canonical_uri}\n"
    f"{canonical_querystring}\n"
    f"{canonical_headers}\n"
    f"{signed_headers}\n"
    f"{payload_hash}"
)
hashed_canonical_request = sha256_hash(canonical_request)

# 2. 待签名字符串
algorithm = "AWS4-HMAC-SHA256"
timestamp = "20250122T092741Z"
date_stamp = "20250122"
region_name = "us-east-1"
service_name = "bedrock"

credential_scope = f"{date_stamp}/{region_name}/{service_name}/aws4_request"
string_to_sign = (
    f"{algorithm}\n"
    f"{timestamp}\n"
    f"{credential_scope}\n"
    f"{hashed_canonical_request}"
)

# 3. 生成签名密钥
secret_key = "7/LH0q2Oxo5H1wqg4y5hZZVxkJRI19wosNcrItYD"  # 替换为你的 AWS Secret Access Key
signing_key = get_signature_key(secret_key, date_stamp, region_name, service_name)

# 4. 生成最终签名
signature = hmac.new(signing_key, string_to_sign.encode('utf-8'), hashlib.sha256).hexdigest()

# 输出结果
print("Canonical Request:\n"+canonical_request)
print("Hashed Canonical Request:\n"+hashed_canonical_request)
print("String to Sign:\n"+string_to_sign)
print("Signature:\n"+signature)
相关推荐
威联通网络存储10 小时前
基于TS-h3087XU-RP的大型成套空分设备DCS历史趋势数据治理
aws
A小辣椒15 天前
AWS Clould Support Engineer就职面试题
aws
亚林瓜子18 天前
AWS WAF中如何放行某个触发了托管规则的接口
aws·waf
悠悠1213820 天前
AWS DevOps Agent 体验一周后,我决定把 oncall 手机调成静音了
云计算·aws·devops
yyuuuzz20 天前
独立站运营的几个技术层面常见问题
大数据·运维·服务器·网络·数据库·aws
yyuuuzz20 天前
游戏云服务器推荐的技术选择思路
大数据·运维·服务器·游戏·云计算·aws
kernelcraft21 天前
Boto3:Python 操作 AWS 的官方 SDK
开发语言·python·其他·aws
普通网友1 个月前
Serverless 框架:多云函数部署(AWS + 阿里云 + 腾讯云)
阿里云·serverless·aws
TG_yunshuguoji1 个月前
亚马逊云代理商:如何用 CloudWatch+Lambda 打造自动化告警系统
大数据·运维·自动化·云计算·aws
yyuuuzz1 个月前
独立站搭建的几个核心技术问题
运维·服务器·网络·数据库·aws