NVIDIA · jhjaggars · Jun 1, 2026 · Jun 1, 2026 · Jun 2, 2026 · Jun 2, 2026
@@ -74,6 +74,25 @@ Credential placeholders in proxied HTTP requests can be resolved by the proxy
 when policy allows the target endpoint. Secrets must not be logged in OCSF or
 plain tracing output.
 
+For AWS endpoints that require request-level signing, the proxy supports SigV4
+re-signing. When `credential_signing: sigv4` is set on an L7 endpoint, the proxy
+strips the client's placeholder-based AWS auth headers, re-signs with real
+credentials from the provider, and forwards the request upstream. The signing
+mode is auto-detected from the client SDK's `x-amz-content-sha256` header:
+
+- **Signed body** (hex hash): buffers the request body, computes its SHA-256,
+  and includes the hash in the signature. Used by Bedrock and most AWS services.
+- **Streaming unsigned** (`STREAMING-UNSIGNED-PAYLOAD-TRAILER`): signs headers
+  only and streams the body through without buffering. Used by S3 uploads with
+  `aws-chunked` encoding.
+- **Unsigned payload** (`UNSIGNED-PAYLOAD`): signs headers only with no body
+  hash. Used by S3 over HTTPS for non-chunked requests.
+
+Two explicit overrides are available: `credential_signing: sigv4:body` (always
+buffer and hash) and `sigv4:no_body` (always unsigned). The `Expect:
+100-continue` header is handled within the SigV4 path so clients like boto3
+transmit the body before the proxy forwards to upstream.
+
 ## Connect and Logs
 
 The supervisor runs an SSH server on a Unix socket inside the sandbox. The

@@ -135,6 +135,10 @@ struct NetworkEndpointDef {
     graphql_persisted_queries: BTreeMap<String, GraphqlOperationDef>,
     #[serde(default, skip_serializing_if = "is_zero_u32")]
     graphql_max_body_bytes: u32,
+    #[serde(default, skip_serializing_if = "String::is_empty")]
+    credential_signing: String,
+    #[serde(default, skip_serializing_if = "String::is_empty")]
+    signing_service: String,
 }
 
 // Signature dictated by serde's `skip_serializing_if`, which requires `&T`.
@@ -347,6 +351,8 @@ fn to_proto(raw: PolicyFile) -> SandboxPolicy {
                                 })
                                 .collect(),
                             graphql_max_body_bytes: e.graphql_max_body_bytes,
+                            credential_signing: e.credential_signing,
+                            signing_service: e.signing_service,
                         }
                     })
                     .collect(),
@@ -512,6 +518,8 @@ fn from_proto(policy: &SandboxPolicy) -> PolicyFile {
                                 })
                                 .collect(),
                             graphql_max_body_bytes: e.graphql_max_body_bytes,
+                            credential_signing: e.credential_signing.clone(),
+                            signing_service: e.signing_service.clone(),
                         }
                     })
                     .collect(),
@@ -694,6 +702,14 @@ pub enum PolicyViolation {
     TooManyPaths { count: usize },
     /// A network endpoint uses a TLD wildcard (e.g. `*.com`).
     TldWildcard { policy_name: String, host: String },
+    /// `credential_signing` is set but `signing_service` is missing.
+    MissingSigningService { policy_name: String, host: String },
+    /// `credential_signing` has an unrecognized value.
+    UnknownCredentialSigning {
+        policy_name: String,
+        host: String,
+        value: String,
+    },
 }
 
 impl fmt::Display for PolicyViolation {
@@ -730,6 +746,24 @@ impl fmt::Display for PolicyViolation {
                      use subdomain wildcards like '*.example.com' instead"
                 )
             }
+            Self::MissingSigningService { policy_name, host } => {
+                write!(
+                    f,
+                    "network policy '{policy_name}': endpoint '{host}' has credential_signing \
+                     set but signing_service is empty"
+                )
+            }
+            Self::UnknownCredentialSigning {
+                policy_name,
+                host,
+                value,
+            } => {
+                write!(
+                    f,
+                    "network policy '{policy_name}': endpoint '{host}' has unrecognized \
+                     credential_signing value '{value}' (expected sigv4, sigv4:body, or sigv4:no_body)"
+                )
+            }
         }
     }
 }
@@ -834,6 +868,24 @@ pub fn validate_sandbox_policy(
                     });
                 }
             }
+            if !ep.credential_signing.is_empty()
+                && !matches!(
+                    ep.credential_signing.as_str(),
+                    "sigv4" | "sigv4:body" | "sigv4:no_body"
+                )
+            {
+                violations.push(PolicyViolation::UnknownCredentialSigning {
+                    policy_name: name.clone(),
+                    host: ep.host.clone(),
+                    value: ep.credential_signing.clone(),
+                });
+            }
+            if !ep.credential_signing.is_empty() && ep.signing_service.is_empty() {
+                violations.push(PolicyViolation::MissingSigningService {
+                    policy_name: name.clone(),
+                    host: ep.host.clone(),
+                });
+            }
         }
     }
 
@@ -1393,6 +1445,141 @@ network_policies:
         assert!(validate_sandbox_policy(&policy).is_ok());
     }
 
+    #[test]
+    fn validate_rejects_credential_signing_without_signing_service() {
+        let mut policy = restrictive_default_policy();
+        policy.network_policies.insert(
+            "aws".into(),
+            NetworkPolicyRule {
+                name: "bedrock".into(),
+                endpoints: vec![NetworkEndpoint {
+                    host: "bedrock-runtime.us-east-1.amazonaws.com".into(),
+                    port: 443,
+                    credential_signing: "sigv4".into(),
+                    signing_service: String::new(),
+                    ..Default::default()
+                }],
+                ..Default::default()
+            },
+        );
+        let violations = validate_sandbox_policy(&policy).unwrap_err();
+        assert!(
+            violations
+                .iter()
+                .any(|v| matches!(v, PolicyViolation::MissingSigningService { .. }))
+        );
+    }
+
+    #[test]
+    fn validate_accepts_credential_signing_with_signing_service() {
+        let mut policy = restrictive_default_policy();
+        policy.network_policies.insert(
+            "aws".into(),
+            NetworkPolicyRule {
+                name: "bedrock".into(),
+                endpoints: vec![NetworkEndpoint {
+                    host: "bedrock-runtime.us-east-1.amazonaws.com".into(),
+                    port: 443,
+                    credential_signing: "sigv4".into(),
+                    signing_service: "bedrock".into(),
+                    ..Default::default()
+                }],
+                ..Default::default()
+            },
+        );
+        assert!(validate_sandbox_policy(&policy).is_ok());
+    }
+
+    #[test]
+    fn validate_accepts_sigv4_body_with_signing_service() {
+        let mut policy = restrictive_default_policy();
+        policy.network_policies.insert(
+            "aws".into(),
+            NetworkPolicyRule {
+                name: "bedrock".into(),
+                endpoints: vec![NetworkEndpoint {
+                    host: "bedrock-runtime.us-east-1.amazonaws.com".into(),
+                    port: 443,
+                    credential_signing: "sigv4:body".into(),
+                    signing_service: "bedrock".into(),
+                    ..Default::default()
+                }],
+                ..Default::default()
+            },
+        );
+        assert!(validate_sandbox_policy(&policy).is_ok());
+    }
+
+    #[test]
+    fn validate_accepts_sigv4_no_body_with_signing_service() {
+        let mut policy = restrictive_default_policy();
+        policy.network_policies.insert(
+            "aws".into(),
+            NetworkPolicyRule {
+                name: "s3".into(),
+                endpoints: vec![NetworkEndpoint {
+                    host: "s3.us-east-1.amazonaws.com".into(),
+                    port: 443,
+                    credential_signing: "sigv4:no_body".into(),
+                    signing_service: "s3".into(),
+                    ..Default::default()
+                }],
+                ..Default::default()
+            },
+        );
+        assert!(validate_sandbox_policy(&policy).is_ok());
+    }
+
+    #[test]
+    fn validate_rejects_sigv4_no_body_without_signing_service() {
+        let mut policy = restrictive_default_policy();
+        policy.network_policies.insert(
+            "aws".into(),
+            NetworkPolicyRule {
+                name: "s3".into(),
+                endpoints: vec![NetworkEndpoint {
+                    host: "s3.us-east-1.amazonaws.com".into(),
+                    port: 443,
+                    credential_signing: "sigv4:no_body".into(),
+                    signing_service: String::new(),
+                    ..Default::default()
+                }],
+                ..Default::default()
+            },
+        );
+        let violations = validate_sandbox_policy(&policy).unwrap_err();
+        assert!(
+            violations
+                .iter()
+                .any(|v| matches!(v, PolicyViolation::MissingSigningService { .. }))
+        );
+    }
+
+    #[test]
+    fn validate_rejects_unknown_credential_signing() {
+        let mut policy = restrictive_default_policy();
+        policy.network_policies.insert(
+            "aws".into(),
+            NetworkPolicyRule {
+                name: "test".into(),
+                endpoints: vec![NetworkEndpoint {
+                    host: "example.amazonaws.com".into(),
+                    port: 443,
+                    credential_signing: "sigv4_typo".into(),
+                    signing_service: "bedrock".into(),
+                    ..Default::default()
+                }],
+                ..Default::default()
+            },
+        );
+        let violations = validate_sandbox_policy(&policy).unwrap_err();
+        assert!(
+            violations
+                .iter()
+                .any(|v| matches!(v, PolicyViolation::UnknownCredentialSigning { .. }))
+        );
+    }
+
     #[test]
     fn normalize_path_collapses_separators() {
         assert_eq!(normalize_path("/usr//lib"), "/usr/lib");

@@ -160,6 +160,10 @@ pub struct EndpointProfile {
     pub graphql_max_body_bytes: u32,
     #[serde(default, skip_serializing_if = "String::is_empty")]
     pub path: String,
+    #[serde(default, skip_serializing_if = "String::is_empty")]
+    pub credential_signing: String,
+    #[serde(default, skip_serializing_if = "String::is_empty")]
+    pub signing_service: String,
 }
 
 #[derive(Debug, Clone, Deserialize, Serialize, PartialEq, Eq)]
@@ -596,6 +600,8 @@ fn endpoint_to_proto(endpoint: &EndpointProfile) -> NetworkEndpoint {
             .collect(),
         graphql_max_body_bytes: endpoint.graphql_max_body_bytes,
         path: endpoint.path.clone(),
+        credential_signing: endpoint.credential_signing.clone(),
+        signing_service: endpoint.signing_service.clone(),
     }
 }
 
@@ -626,6 +632,8 @@ fn endpoint_from_proto(endpoint: &NetworkEndpoint) -> EndpointProfile {
             .collect(),
         graphql_max_body_bytes: endpoint.graphql_max_body_bytes,
         path: endpoint.path.clone(),
+        credential_signing: endpoint.credential_signing.clone(),
+        signing_service: endpoint.signing_service.clone(),
     }
 }
 

@@ -34,9 +34,14 @@ clap = { workspace = true }
 miette = { workspace = true }
 thiserror = { workspace = true }
 anyhow = { workspace = true }
-hmac = "0.12"
 sha2 = { workspace = true }
 hex = "0.4"
+http = { workspace = true }
+
+# AWS SigV4 request signing
+aws-sigv4 = { version = "1", features = ["sign-http", "http1"] }
+aws-credential-types = { version = "1", features = ["hardcoded-credentials"] }
+aws-smithy-runtime-api = { version = "1", features = ["client"] }
 russh = "0.57"
 rand_core = "0.6"