Authentication
The Community DevOps Agent API uses AWS SigV4 authentication directly, without the complex JWT exchange flow used by some other AWS services.
Overview
Unlike many AWS services that require JWT generation and credential exchange, the DevOps Agent API uses direct AWS SigV4 signing with your existing AWS credentials. This simplifies authentication and reduces latency.
How It Works
Direct Credential Usage: The library uses your AWS credentials directly without modification
SigV4 Signing: All API requests are signed using the AWS Signature Version 4 algorithm
Standard Resolution: Credentials are resolved using boto3’s standard credential chain
Credential Provider
Authentication module for DevOps Agent API.
This module implements direct AWS SigV4 authentication for boto3 integration. No JWT generation or credential exchange is needed - we use AWS credentials directly.
- class devopsagent_api.auth.DevOpsAgentCredentialProvider[source]
Bases:
CredentialProviderCustom credential provider for the DevOps Agent API.
This provider uses direct AWS SigV4 authentication, passing through the user’s AWS credentials directly without JWT exchange.
Initialize the credential provider.
- load(service_name: str | None = None) Credentials | None[source]
Load credentials for the DevOps Agent service.
This method is called by botocore when credentials are needed. It only provides credentials for the community-devops-agent service.
- Parameters:
service_name – The service name requesting credentials
- Returns:
Credentials object or None if unable to obtain credentials
Supported Credential Sources
The library supports all standard AWS credential sources:
Environment Variables
export AWS_ACCESS_KEY_ID=your-access-key
export AWS_SECRET_ACCESS_KEY=your-secret-key
export AWS_REGION=us-east-1
Shared Credentials File
# ~/.aws/credentials
[default]
aws_access_key_id = your-access-key
aws_secret_access_key = your-secret-key
AWS CLI Configuration
# ~/.aws/config
[default]
region = us-east-1
IAM Roles (for EC2, Lambda, etc.)
The library automatically detects and uses IAM roles when running on AWS infrastructure.
Custom Credential Providers
You can also use custom boto3 credential providers by configuring them in your boto3 session.
Authentication Flow
1. User imports devopsagent_api
2. Service registration triggers
3. DevOpsAgentCredentialProvider loads AWS credentials
4. Credentials are used for SigV4 signing
5. All API requests are signed automatically
No JWT Generation
Unlike some AWS services, the DevOps Agent API does not require:
JWT token generation
Credential exchange workflows
Temporary credential management
Complex authentication state
This makes the authentication process simpler and more reliable.
Troubleshooting
Authentication Errors
If you encounter authentication errors:
# Check your AWS credentials
aws sts get-caller-identity
# Verify region configuration
aws configure list
Permission Issues
Ensure your AWS credentials have the necessary permissions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"devops-agent:*"
],
"Resource": "*"
}
]
}
Region Mismatch
Ensure you’re using the correct AWS region for the DevOps Agent service.
Security Best Practices
Rotate Credentials: Regularly rotate your AWS access keys
Use IAM Roles: Prefer IAM roles over long-term access keys
Least Privilege: Grant only the minimum required permissions
Monitor Usage: Monitor AWS CloudTrail for API usage patterns
Advanced Usage
For advanced authentication scenarios:
import boto3
from botocore.credentials import CredentialProvider
# Custom credential provider
class CustomProvider(CredentialProvider):
def load(self):
# Your custom credential logic
pass
# Register custom provider
session = boto3.Session()
session._session.register_component(
'credential_provider',
CustomProvider(),
priority=10
)