feat(sandbox): proxy-side AWS SigV4 credential signing for CONNECT tunnels

architecture/sandbox.md

@@ -74,6 +74,12 @@ Credential placeholders in proxied HTTP requests can be resolved by the proxy
 when policy allows the target endpoint. Secrets must not be logged in OCSF or
 plain tracing output.
 
+For AWS endpoints that require request-level signing, the proxy supports SigV4
+re-signing. When `credential_signing: sigv4` is set on an L7 endpoint, the proxy
+strips the client's placeholder-based AWS auth headers, buffers the request body,
+computes a fresh SigV4 signature using real credentials from the provider, and
+forwards the re-signed request upstream.
+
 ## Connect and Logs
 
 The supervisor runs an SSH server on a Unix socket inside the sandbox. The

crates/openshell-policy/src/lib.rs

@@ -135,6 +135,10 @@ struct NetworkEndpointDef {
     graphql_persisted_queries: BTreeMap<String, GraphqlOperationDef>,
     #[serde(default, skip_serializing_if = "is_zero_u32")]
     graphql_max_body_bytes: u32,
+    #[serde(default, skip_serializing_if = "String::is_empty")]
+    credential_signing: String,
+    #[serde(default, skip_serializing_if = "String::is_empty")]
+    signing_service: String,
 }
 
 // Signature dictated by serde's `skip_serializing_if`, which requires `&T`.
@@ -347,6 +351,8 @@ fn to_proto(raw: PolicyFile) -> SandboxPolicy {
                                 })
                                 .collect(),
                             graphql_max_body_bytes: e.graphql_max_body_bytes,
+                            credential_signing: e.credential_signing,
+                            signing_service: e.signing_service,
                         }
                     })
                     .collect(),
@@ -512,6 +518,8 @@ fn from_proto(policy: &SandboxPolicy) -> PolicyFile {
                                 })
                                 .collect(),
                             graphql_max_body_bytes: e.graphql_max_body_bytes,
+                            credential_signing: e.credential_signing.clone(),
+                            signing_service: e.signing_service.clone(),
                         }
                     })
                     .collect(),
@@ -694,6 +702,8 @@ pub enum PolicyViolation {
     TooManyPaths { count: usize },
     /// A network endpoint uses a TLD wildcard (e.g. `*.com`).
     TldWildcard { policy_name: String, host: String },
+    /// `credential_signing` is set but `signing_service` is missing.
+    MissingSigningService { policy_name: String, host: String },
 }
 
 impl fmt::Display for PolicyViolation {
@@ -730,6 +740,13 @@ impl fmt::Display for PolicyViolation {
                      use subdomain wildcards like '*.example.com' instead"
                 )
             }
+            Self::MissingSigningService { policy_name, host } => {
+                write!(
+                    f,
+                    "network policy '{policy_name}': endpoint '{host}' has credential_signing \
+                     set but signing_service is empty"
+                )
+            }
         }
     }
 }
@@ -834,6 +851,12 @@ pub fn validate_sandbox_policy(
                     });
                 }
             }
+            if !ep.credential_signing.is_empty() && ep.signing_service.is_empty() {
+                violations.push(PolicyViolation::MissingSigningService {
+                    policy_name: name.clone(),
+                    host: ep.host.clone(),
+                });
+            }
         }
     }
 
@@ -1393,6 +1416,49 @@ network_policies:
         assert!(validate_sandbox_policy(&policy).is_ok());
     }
 
+    #[test]
+    fn validate_rejects_credential_signing_without_signing_service() {
+        let mut policy = restrictive_default_policy();
+        policy.network_policies.insert(
+            "aws".into(),
+            NetworkPolicyRule {
+                name: "bedrock".into(),
+                endpoints: vec![NetworkEndpoint {
+                    host: "bedrock-runtime.us-east-1.amazonaws.com".into(),
+                    port: 443,
+                    credential_signing: "sigv4".into(),
+                    signing_service: String::new(),
+                    ..Default::default()
+                }],
+                ..Default::default()
+            },
+        );
+        let violations = validate_sandbox_policy(&policy).unwrap_err();
+        assert!(violations
+            .iter()
+            .any(|v| matches!(v, PolicyViolation::MissingSigningService { .. })));
+    }
+
+    #[test]
+    fn validate_accepts_credential_signing_with_signing_service() {
+        let mut policy = restrictive_default_policy();
+        policy.network_policies.insert(
+            "aws".into(),
+            NetworkPolicyRule {
+                name: "bedrock".into(),
+                endpoints: vec![NetworkEndpoint {
+                    host: "bedrock-runtime.us-east-1.amazonaws.com".into(),
+                    port: 443,
+                    credential_signing: "sigv4".into(),
+                    signing_service: "bedrock".into(),
+                    ..Default::default()
+                }],
+                ..Default::default()
+            },
+        );
+        assert!(validate_sandbox_policy(&policy).is_ok());
+    }
+
     #[test]
     fn normalize_path_collapses_separators() {
         assert_eq!(normalize_path("/usr//lib"), "/usr/lib");

crates/openshell-providers/src/profiles.rs

@@ -596,6 +596,8 @@ fn endpoint_to_proto(endpoint: &EndpointProfile) -> NetworkEndpoint {
             .collect(),
         graphql_max_body_bytes: endpoint.graphql_max_body_bytes,
         path: endpoint.path.clone(),
+        credential_signing: String::new(),
+        signing_service: String::new(),
     }
 }
 

crates/openshell-sandbox/Cargo.toml

@@ -34,9 +34,14 @@ clap = { workspace = true }
 miette = { workspace = true }
 thiserror = { workspace = true }
 anyhow = { workspace = true }
-hmac = "0.12"
 sha2 = { workspace = true }
 hex = "0.4"
+http = { workspace = true }
+
+# AWS SigV4 request signing
+aws-sigv4 = { version = "1", features = ["sign-http", "http1"] }
+aws-credential-types = { version = "1", features = ["hardcoded-credentials"] }
+aws-smithy-runtime-api = { version = "1", features = ["client"] }
 russh = "0.57"
 rand_core = "0.6"
 

crates/openshell-sandbox/src/l7/mod.rs

@@ -50,6 +50,14 @@ pub enum TlsMode {
     Skip,
 }
 
+/// Credential signing mode for proxy-side request signing.
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Default)]
+pub enum CredentialSigning {
+    #[default]
+    None,
+    SigV4,
+}
+
 /// Enforcement mode for L7 policy decisions.
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Default)]
 pub enum EnforcementMode {
@@ -88,6 +96,11 @@ pub struct L7EndpointConfig {
     /// When true, client-to-server GraphQL-over-WebSocket operation messages
     /// are classified with the same operation policy used by GraphQL-over-HTTP.
     pub websocket_graphql_policy: bool,
+    /// Proxy-side credential signing mode for this endpoint.
+    pub credential_signing: CredentialSigning,
+    /// AWS signing service name (e.g. `"bedrock"`). Required when
+    /// `credential_signing` is `SigV4`.
+    pub signing_service: String,
 }
 
 /// Result of an L7 policy decision for a single request.
@@ -165,6 +178,24 @@ pub fn parse_l7_config(val: &regorus::Value) -> Option<L7EndpointConfig> {
         .filter(|v| *v > 0)
         .unwrap_or(graphql::DEFAULT_MAX_BODY_BYTES);
 
+    let credential_signing = match get_object_str(val, "credential_signing").as_deref() {
+        Some("sigv4") => CredentialSigning::SigV4,
+        Some(other) if !other.is_empty() => {
+            let event = openshell_ocsf::NetworkActivityBuilder::new(crate::ocsf_ctx())
+                .activity(openshell_ocsf::ActivityId::Other)
+                .severity(openshell_ocsf::SeverityId::Medium)
+                .message(format!(
+                    "unrecognized credential_signing value {other:?}, falling back to none"
+                ))
+                .build();
+            openshell_ocsf::ocsf_emit!(event);
+            CredentialSigning::None
+        }
+        _ => CredentialSigning::None,
+    };
+
+    let signing_service = get_object_str(val, "signing_service").unwrap_or_default();
+
     Some(L7EndpointConfig {
         protocol,
         path: get_object_str(val, "path").unwrap_or_default(),
@@ -175,6 +206,8 @@ pub fn parse_l7_config(val: &regorus::Value) -> Option<L7EndpointConfig> {
         websocket_credential_rewrite,
         request_body_credential_rewrite,
         websocket_graphql_policy,
+        credential_signing,
+        signing_service,
     })
 }
 

crates/openshell-sandbox/src/l7/relay.rs

@@ -355,6 +355,9 @@ where
                     websocket_extensions: websocket_extension_mode(config),
                     request_body_credential_rewrite: config.protocol == L7Protocol::Rest
                         && config.request_body_credential_rewrite,
+                    credential_signing: config.credential_signing,
+                    signing_service: &config.signing_service,
+                    host: &ctx.host,
                 },
             )
             .await?;
@@ -780,6 +783,9 @@ where
                     websocket_extensions: websocket_extension_mode(config),
                     request_body_credential_rewrite: config.protocol == L7Protocol::Rest
                         && config.request_body_credential_rewrite,
+                    credential_signing: config.credential_signing,
+                    signing_service: &config.signing_service,
+                    host: &ctx.host,
                 },
             )
             .await?;
@@ -1429,6 +1435,8 @@ network_policies:
             websocket_credential_rewrite: true,
             request_body_credential_rewrite: false,
             websocket_graphql_policy: false,
+            credential_signing: crate::l7::CredentialSigning::None,
+            signing_service: String::new(),
         }];
         let ctx = L7EvalContext {
             host: "gateway.example.test".into(),
@@ -1530,6 +1538,8 @@ network_policies:
             websocket_credential_rewrite: true,
             request_body_credential_rewrite: false,
             websocket_graphql_policy: false,
+            credential_signing: crate::l7::CredentialSigning::None,
+            signing_service: String::new(),
         }];
         let (child_env, resolver) = SecretResolver::from_provider_env(
             std::iter::once(("DISCORD_BOT_TOKEN".to_string(), "real-token".to_string())).collect(),
@@ -1648,6 +1658,8 @@ network_policies:
             websocket_credential_rewrite: true,
             request_body_credential_rewrite: false,
             websocket_graphql_policy: true,
+            credential_signing: crate::l7::CredentialSigning::None,
+            signing_service: String::new(),
         }];
         let (child_env, resolver) = SecretResolver::from_provider_env(
             std::iter::once(("T".to_string(), "real-token".to_string())).collect(),

crates/openshell-sandbox/src/l7/rest.rs

@@ -377,6 +377,9 @@ where
             generation_guard,
             websocket_extensions: WebSocketExtensionMode::Preserve,
             request_body_credential_rewrite: false,
+            credential_signing: crate::l7::CredentialSigning::None,
+            signing_service: "",
+            host: "",
         },
     )
     .await
@@ -395,6 +398,9 @@ pub(crate) struct RelayRequestOptions<'a> {
     pub(crate) generation_guard: Option<&'a PolicyGenerationGuard>,
     pub(crate) websocket_extensions: WebSocketExtensionMode,
     pub(crate) request_body_credential_rewrite: bool,
+    pub(crate) credential_signing: crate::l7::CredentialSigning,
+    pub(crate) signing_service: &'a str,
+    pub(crate) host: &'a str,
 }
 
 pub(crate) async fn relay_http_request_with_options_guarded<C, U>(
@@ -421,8 +427,19 @@ where
         parse_websocket_upgrade_request(&req.raw_header[..header_end])?
     };
 
+    // When SigV4 signing is configured, strip AWS auth headers before credential
+    // rewriting so the fail-closed placeholder scan doesn't reject the SigV4
+    // Authorization header (which embeds placeholder strings).
+    let raw_for_rewrite;
+    let header_source = if options.credential_signing == crate::l7::CredentialSigning::SigV4 {
+        raw_for_rewrite = crate::sigv4::strip_aws_headers(&req.raw_header[..header_end]);
+        &raw_for_rewrite[..]
+    } else {
+        &req.raw_header[..header_end]
+    };
+
     let (header_bytes, expected_websocket_extension) = rewrite_websocket_extensions_for_mode(
-        &req.raw_header[..header_end],
+        header_source,
         options.websocket_extensions,
         websocket_request.is_some(),
     )?;
@@ -442,7 +459,82 @@ where
         guard.ensure_current()?;
     }
 
-    if options.request_body_credential_rewrite {
+    // Apply SigV4 signing if configured. We need the full request (headers + body)
+    // to compute the signature, so for SigV4 we always buffer the body first.
+    if options.credential_signing == crate::l7::CredentialSigning::SigV4 {
+        if let Some(resolver) = options.resolver {
+            let access_key_placeholder =
+                crate::secrets::placeholder_for_env_key("AWS_ACCESS_KEY_ID");
+            let secret_key_placeholder =
+                crate::secrets::placeholder_for_env_key("AWS_SECRET_ACCESS_KEY");
+            let session_token_placeholder =
+                crate::secrets::placeholder_for_env_key("AWS_SESSION_TOKEN");
+
+            match (
+                resolver.resolve_placeholder(&access_key_placeholder),
+                resolver.resolve_placeholder(&secret_key_placeholder),
+            ) {
+                (Some(access_key), Some(secret_key)) => {
+                    let session_token = resolver.resolve_placeholder(&session_token_placeholder);
+                    let region = crate::sigv4::extract_aws_region(options.host)
+                        .unwrap_or_else(|| "us-east-1".to_string());
+                    let service = &options.signing_service;
+                    if service.is_empty() {
+                        return Err(miette!(
+                            "SigV4 signing configured but signing_service not set in policy"
+                        ));
+                    }
+                    debug!(
+                        host = %options.host,
+                        region = %region,
+                        service = %service,
+                        "applying SigV4 signing to CONNECT tunnel request"
+                    );
+
+                    // Collect body from overflow + stream
+                    let overflow = &req.raw_header[header_end..];
+                    let mut full_request = rewrite_result.rewritten.clone();
+                    full_request.extend_from_slice(overflow);
+                    // Read remaining body based on content-length
+                    if let BodyLength::ContentLength(body_len) = parse_body_length(header_str)? {
+                        if body_len > MAX_REWRITE_BODY_BYTES as u64 {
+                            return Err(miette!(
+                                "SigV4 signing buffers at most {MAX_REWRITE_BODY_BYTES} bytes"
+                            ));
+                        }
+                        let already_have = overflow.len() as u64;
+                        if body_len > already_have {
+                            let remaining =
+                                usize::try_from(body_len - already_have).unwrap_or(usize::MAX);
+                            let mut body_buf = vec![0u8; remaining];
+                            client.read_exact(&mut body_buf).await.into_diagnostic()?;
+                            full_request.extend_from_slice(&body_buf);
+                        }
+                    }
+
+                    let signed = crate::sigv4::apply_sigv4_to_request(
+                        &full_request,
+                        options.host,
+                        &region,
+                        service,
+                        access_key,
+                        secret_key,
+                        session_token,
+                    )?;
+                    upstream.write_all(&signed).await.into_diagnostic()?;
+                }
+                _ => {
+                    return Err(miette!(
+                        "SigV4 signing configured but AWS credentials not found in provider"
+                    ));
+                }
+            }
+        } else {
+            return Err(miette!(
+                "SigV4 signing configured but no secret resolver available"
+            ));
+        }
+    } else if options.request_body_credential_rewrite {
         let body = collect_and_rewrite_request_body(
             req,
             client,

crates/openshell-sandbox/src/lib.rs

@@ -24,6 +24,7 @@ mod provider_credentials;
 pub mod proxy;
 mod sandbox;
 mod secrets;
+pub mod sigv4;
 mod skills;
 mod ssh;
 mod supervisor_session;