Summary
The 8 AWS-family connectors declare auth.kind: 'api-key' with no credentialPlacement, so the declarative-REST runtime signs nothing and sends Authorization: Bearer <api-key>. AWS requires an AWS4-HMAC-SHA256 SigV4 signature, so every request is rejected. The adapter comments and connect hint describe a "gateway signs requests with SigV4 using the credential bundle in the api-key field" — that gateway was never built. This issue implements the real thing.
Evidence
Bearer-not-SigV4 chain (src/connectors/adapters/declarative-rest.ts):
:195 — applyCredentials defaults to { kind: 'bearer' } when no credentialPlacement is set.:271-272 — credentialToken returns credentials.apiKey verbatim (no parse into accessKeyId / secret / region).:265 — emits headers.authorization = `Bearer ${token}` `.:250-256 — resolveBaseUrl falls back to a fixed host (e.g. https://sqs.us-east-1.amazonaws.com); metadata.endpoint is never populated for api-key, so region selection is dead.
Credential model can't hold the inputs:
src/connectors/types.ts:133-138 — api-key credentials = { apiKey: string }.:396-400 — ApiKeyAuthSpec = { kind, hint }. "access key + secret + region" lives only in the hint string.
Misleading comments / hint:
src/connectors/adapters/amazon-sqs.ts:5-6 (the "gateway signs requests with SigV4" comment) and :22 (the hint). Same pattern across the sibling adapters.
Scope — 8 connectors (all api-key, default Bearer placement)
| Connector |
Adapter |
| Amazon SQS |
src/connectors/adapters/amazon-sqs.ts |
| Amazon SNS |
amazon-sns.ts |
| Amazon SES |
amazon-ses.ts |
| Amazon S3 |
amazon-s3.ts |
| Amazon Bedrock |
amazon-bedrock.ts |
| Amazon Secrets Manager |
amazon-secrets-manager.ts |
| Amazon Textract |
amazon-textract.ts |
| Backblaze (B2, S3-compatible) |
backblaze.ts |
Plan
Acceptance criteria
Summary
The 8 AWS-family connectors declare
auth.kind: 'api-key'with nocredentialPlacement, so the declarative-REST runtime signs nothing and sendsAuthorization: Bearer <api-key>. AWS requires anAWS4-HMAC-SHA256SigV4 signature, so every request is rejected. The adapter comments and connect hint describe a "gateway signs requests with SigV4 using the credential bundle in the api-key field" — that gateway was never built. This issue implements the real thing.Evidence
Bearer-not-SigV4 chain (
src/connectors/adapters/declarative-rest.ts)::195—applyCredentialsdefaults to{ kind: 'bearer' }when nocredentialPlacementis set.:271-272—credentialTokenreturnscredentials.apiKeyverbatim (no parse into accessKeyId / secret / region).:265— emitsheaders.authorization =`Bearer ${token}``.:250-256—resolveBaseUrlfalls back to a fixed host (e.g.https://sqs.us-east-1.amazonaws.com);metadata.endpointis never populated for api-key, so region selection is dead.Credential model can't hold the inputs:
src/connectors/types.ts:133-138— api-key credentials ={ apiKey: string }.:396-400—ApiKeyAuthSpec = { kind, hint }. "access key + secret + region" lives only in thehintstring.Misleading comments / hint:
src/connectors/adapters/amazon-sqs.ts:5-6(the "gateway signs requests with SigV4" comment) and:22(the hint). Same pattern across the sibling adapters.Scope — 8 connectors (all api-key, default Bearer placement)
src/connectors/adapters/amazon-sqs.tsamazon-sns.tsamazon-ses.tsamazon-s3.tsamazon-bedrock.tsamazon-secrets-manager.tsamazon-textract.tsbackblaze.tsPlan
credentialPlacement: { kind: 'aws-sigv4', service, region }branch inapplyCredentialsthat computes theAWS4-HMAC-SHA256Authorization header (canonical request → string-to-sign → signing key) at fetch time. One signer serves all 8 adapters.ConnectorCredentials/ApiKeyAuthSpecto hold accessKeyId + secretAccessKey + region (+ optional endpoint). Two routes to decide:ApiKeyConnectModal.tsx+hub-contract.ts+hub-substrate.ts— would be a linked adc PR).metadata.endpoint(or derive host from region) soresolveBaseUrlstops defaulting to us-east-1.Acceptance criteria