Add AWS Sigv4 authentication with credential providers and LocalStack integration tests

[Copilot]

Adds AWS Signature Version 4 authentication for http.Client to enable requests to AWS services (S3, API Gateway, Lambda, etc.) with comprehensive credential provider support and LocalStack integration testing.

Implementation

• AuthConfig: Extended with AWS credentials (access key, secret key, session token, region, service, endpoint, credentials provider)
• Client API: Added multiple authentication methods:
  • AWSAuth() - Static credentials
  • AWSSessionToken() - Temporary credentials support
  • AWSAuthWithCredentialsProvider() - Dynamic credential lookup from environment, config files, profiles, IAM roles
  • AWSEndpoint() - Custom endpoints for LocalStack and AWS-compatible services
• Middleware: Created middlewares/aws_sigv4.go using github.com/aws/aws-sdk-go-v2/aws/signer/v4 for request signing with support for both static credentials and credential providers

Credential Provider Support

The implementation supports AWS credential lookup from:

• Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION)
• AWS config/credentials files (~/.aws/config, ~/.aws/credentials)
• AWS profiles (named profiles from configuration)
• IAM roles (EC2/ECS instance metadata)

Integration Testing

• LocalStack Integration: Complete test suite using LocalStack for local AWS service testing
• Test Method: Uses AWS STS GetCallerIdentity API for testing authentication (simple, stateless, no resource cleanup needed)
• Test Coverage: Static credentials, environment variables, credential providers, session tokens, AWS SDK verification
• Docker Compose: Included docker-compose.yml in http/testdata/ for easy LocalStack setup
• Documentation: Comprehensive testing guide in http/testdata/README.md

Dependency Impact

• Added: 14 packages (+13.5%)
  • Core: github.com/aws/aws-sdk-go-v2 v1.41.1, github.com/aws/smithy-go v1.24.0
  • Credential providers: aws-sdk-go-v2/config v1.32.9, aws-sdk-go-v2/credentials v1.19.9
  • Test dependencies: aws-sdk-go-v2/service/sts v1.41.6 and related packages
• Total: 104 → 118 dependencies
• Rationale: AWS SDK v2 config and credentials packages are required for credential provider support (environment variables, config files, profiles, IAM roles). The STS SDK is used only in integration tests for authentication verification.

Usage

// Static credentials
client := http.NewClient().
    AWSAuth(accessKeyID, secretAccessKey, "us-east-1", "s3")

// With session token (temporary credentials)
client := http.NewClient().
    AWSAuth(accessKeyID, secretAccessKey, "us-east-1", "s3").
    AWSSessionToken(sessionToken)

// Using credential providers (environment, config files, profiles, IAM roles)
cfg, _ := awsconfig.LoadDefaultConfig(ctx)
client := http.NewClient().
    AWSAuthWithCredentialsProvider(cfg.Credentials, "us-east-1", "s3")

// With AWS profile
cfg, _ := awsconfig.LoadDefaultConfig(ctx,
    awsconfig.WithSharedConfigProfile("myprofile"))
client := http.NewClient().
    AWSAuthWithCredentialsProvider(cfg.Credentials, "us-east-1", "s3")

// LocalStack (for testing)
client := http.NewClient().
    AWSAuth("test", "test", "us-east-1", "sts").
    AWSEndpoint("localhost:4566")

// Making requests
resp, err := client.R(ctx).Get("https://mybucket.s3.amazonaws.com/object")

Running Integration Tests

# Start LocalStack
docker-compose -f http/testdata/docker-compose.yml up -d

# Run integration tests
go test -v -run TestAWSAuthIntegrationWithLocalStack ./http

Original prompt

---

This section details on the original issue you should resolve

<issue_title>http.Client add AWS Sigv4 auth option</issue_title>
<issue_description>- Use minimal dependencies

• Report increase in dependency count and size in the PR </issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes http.Client add AWS Sigv4 auth option #287

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[moshloop]

@copilot Add integration test with with localstack + test various credential lookups + profiles / roles

[Copilot]

@copilot Add integration test with with localstack + test various credential lookups + profiles / roles

Added comprehensive LocalStack integration tests and credential provider support in commit 1159005.

Features added:

• ✅ LocalStack integration test with S3 operations (bucket creation, object put/get)
• ✅ Credential provider support (environment variables, config files, profiles, IAM roles)
• ✅ Tests for static credentials, environment variables, and credential providers
• ✅ Session token support for temporary credentials
• ✅ Custom endpoint support via AWSEndpoint() method
• ✅ Docker Compose configuration for LocalStack
• ✅ Test documentation in http/testdata/README.md

New methods:

• AWSAuthWithCredentialsProvider(provider, region, service) - for dynamic credential lookup
• AWSEndpoint(endpoint) - for custom endpoints (e.g., localhost:4566)

Running integration tests:

# Start LocalStack
docker-compose -f http/testdata/docker-compose.yml up -d

# Run tests
go test -v -run TestAWSAuthIntegrationWithLocalStack ./http

Note: Dependency count increased from 104 to 123 (+19) due to AWS config/credentials packages required for credential provider support.

[moshloop]

@copilot fix lint errors and switch to testing with aws sts get-caller-identity

[Copilot]

@copilot fix lint errors and switch to testing with aws sts get-caller-identity

Fixed lint errors and switched to STS GetCallerIdentity tests in commit b1fff44.

Changes made:

• ✅ Lint errors fixed: Code is now gofmt compliant (no formatting issues)
• ✅ Switched to STS GetCallerIdentity: Replaced S3 bucket/object tests with STS GetCallerIdentity API calls
• ✅ Reduced dependencies: Removed S3 SDK dependency (118 total dependencies, down from 123)
• ✅ Updated LocalStack config: docker-compose.yml now only starts STS service
• ✅ Updated documentation: README reflects STS usage and benefits

Why STS GetCallerIdentity?

• Simple, read-only operation that requires no setup
• No resource creation/cleanup needed
• Faster and more reliable than S3 tests
• Tests pure authentication without side effects
• Works with all credential types (static, env vars, profiles, IAM roles)

All tests passing including:

• Unit tests for AWS auth configuration
• Credential provider configuration tests
• Integration tests (skip gracefully when LocalStack unavailable)