aws
diff --git a/‎Makefile‎
Lines changed: 11 additions & 4 deletions b/‎Makefile‎
Lines changed: 11 additions & 4 deletions
diff --git a/‎README.md‎
Lines changed: 51 additions & 7 deletions b/‎README.md‎
Lines changed: 51 additions & 7 deletions
diff --git a/‎clients/client-s3/test/e2e/S3.browser.e2e.spec.ts‎
Lines changed: 1 addition & 1 deletion b/‎clients/client-s3/test/e2e/S3.browser.e2e.spec.ts‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎clients/client-s3/test/e2e/s3-mrap-sigv4a.e2e.spec.ts‎
Lines changed: 135 additions & 0 deletions b/‎clients/client-s3/test/e2e/s3-mrap-sigv4a.e2e.spec.ts‎
Lines changed: 135 additions & 0 deletions
diff --git a/‎packages/signature-v4-multi-region/.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎packages/signature-v4-multi-region/.gitignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎packages/signature-v4-multi-region/README.md‎
Lines changed: 8 additions & 2 deletions b/‎packages/signature-v4-multi-region/README.md‎
Lines changed: 8 additions & 2 deletions
diff --git a/‎packages/signature-v4-multi-region/package.json‎
Lines changed: 3 additions & 0 deletions b/‎packages/signature-v4-multi-region/package.json‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎packages/signature-v4-multi-region/src/SignatureV4MultiRegion.browser.spec.ts‎
Lines changed: 78 additions & 0 deletions b/‎packages/signature-v4-multi-region/src/SignatureV4MultiRegion.browser.spec.ts‎
Lines changed: 78 additions & 0 deletions
@@ -1,6 +1,8 @@
 # This is the public Makefile containing some build commands.
 # You can implement some additional personal commands such as login and sync in Makefile.private.mk (unversioned).
 
+.PHONY: bundles test-unit test-integration test-protocols test-e2e
+
 # fetch AWS testing credentials
 login:
 	make -f Makefile.private.mk login
@@ -12,7 +14,9 @@ login:
 sync:
 	make -f Makefile.private.mk sync
 
-test-unit: build-s3-browser-bundle
+bundles: build-s3-browser-bundle build-signature-v4-multi-region-browser-bundle
+
+test-unit: bundles
 	yarn g:vitest run -c vitest.config.ts
 	yarn g:vitest run -c vitest.config.browser.ts
 	yarn g:vitest run -c vitest.config.clients.unit.ts
@@ -22,10 +26,10 @@ test-unit: build-s3-browser-bundle
 test-types:
 	npx tsc -p tsconfig.test.json
 
-test-protocols: build-s3-browser-bundle
+test-protocols: bundles
 	yarn g:vitest run -c vitest.config.protocols.integ.ts
 
-test-integration: build-s3-browser-bundle
+test-integration: bundles
 	rm -rf ./clients/client-sso/node_modules/\@smithy # todo(yarn) incompatible redundant nesting.
 	yarn g:vitest run -c vitest.config.integ.ts
 	npx jest -c jest.config.integ.js
@@ -36,13 +40,16 @@ test-integration: build-s3-browser-bundle
 test-endpoints:
 	npx jest -c ./tests/endpoints-2.0/jest.config.js --bail
 
-test-e2e: build-s3-browser-bundle
+test-e2e: bundles
 	yarn g:vitest run -c vitest.config.e2e.ts --retry=4
 	yarn g:vitest run -c vitest.config.browser.e2e.ts --retry=4
 
 build-s3-browser-bundle:
 	node ./clients/client-s3/test/browser-build/esbuild
 
+build-signature-v4-multi-region-browser-bundle:
+	node ./packages/signature-v4-multi-region/test-browser/browser-build/esbuild.js
+
 # removes nested node_modules folders
 clean-nested:
 	rm -rf ./lib/*/node_modules
 
@@ -195,13 +195,13 @@ we have them listed in [UPGRADING.md](https://github.com/aws/aws-sdk-js-v3/blob/
 
 ### General Info
 
-The Lambda provided AWS SDK is set to a specific minor version, and NOT the latest version. To 
-determine which version of the SDK is included with the runtime you're using, 
-see [Runtime-included SDK versions](https://docs.aws.amazon.com/lambda/latest/dg/lambda-nodejs.html#nodejs-sdk-included) 
-in the Lambda Developer Guide. To maintain full control of your dependencies, and to maximize 
-backward compatibility during automatic runtime updates, we recommend that you always include 
-the SDK modules your code uses in your function's deployment package or in a Lambda  layer. 
-See [Backward compatibility](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-update.html#runtime-update-compatibility) 
+The Lambda provided AWS SDK is set to a specific minor version, and NOT the latest version. To
+determine which version of the SDK is included with the runtime you're using,
+see [Runtime-included SDK versions](https://docs.aws.amazon.com/lambda/latest/dg/lambda-nodejs.html#nodejs-sdk-included)
+in the Lambda Developer Guide. To maintain full control of your dependencies, and to maximize
+backward compatibility during automatic runtime updates, we recommend that you always include
+the SDK modules your code uses in your function's deployment package or in a Lambda layer.
+See [Backward compatibility](https://docs.aws.amazon.com/lambda/latest/dg/runtimes-update.html#runtime-update-compatibility)
 to learn more.
 
 The performance of the AWS SDK for JavaScript v3 on node 18 has improved from v2 as seen in the [performance benchmarking](https://aws.amazon.com/blogs/developer/reduce-lambda-cold-start-times-migrate-to-aws-sdk-for-javascript-v3/)
@@ -698,6 +698,50 @@ import "@aws-sdk/signature-v4-crt";
 Only the import statement is needed. The implementation then registers itself with `@aws-sdk/signature-v4-multi-region`
 and becomes available for its use. You do not need to use any imported objects directly.
 
+Note that you can also use the native JavaScript implementation of SigV4a that does not depend on AWS CRT and can be used in browsers (unlike the CRT version). The instructions for using that package are below.
+
+### Using JavaScript (non-CRT) implementation of SigV4a
+
+Note: Use of AWS SignatureV4a in the browser (JS implementation) is not recommended, due to the bundle size of the SigV4a signing algorithm code. Consider whether there are other ways to achieve your desired application functionality without the use of sigv4a before installing these packages.
+
+AWS SDK for JavaScript v3 now supports a native JavaScript version of SigV4a that can be used in browsers and Node, and does not depend on [AWS Common Runtime (CRT)](https://docs.aws.amazon.com/sdkref/latest/guide/common-runtime.html). This is an alternative to the AWS CRT version, so you don't need to have both packages together.
+
+If neither the CRT components nor the JavaScript SigV4a implementation are installed, you will receive an error like:
+
+```console
+Neither CRT nor JS SigV4a implementation is available.
+Please load either @aws-sdk/signature-v4-crt or @aws-sdk/signature-v4a.
+```
+
+indicating that at least one of the required dependencies is missing to use the associated functionality. To install the JavaScript SigV4a dependency, follow the provided instructions.
+
+#### Installing the JavaScript SigV4a Dependency
+
+You can install the JavaScript SigV4a dependency with different commands depending on the package management tool you are using.
+If you are using NPM:
+
+```console
+npm install @aws-sdk/signature-v4a
+```
+
+If you are using Yarn:
+
+```console
+yarn add @aws-sdk/signature-v4a
+```
+
+Additionally, load the signature-v4a package by importing it.
+
+```js
+require("@aws-sdk/signature-v4a");
+// or ESM
+import "@aws-sdk/signature-v4a";
+```
+
+Only the import statement is needed. The implementation then registers itself with `@aws-sdk/signature-v4-multi-region`
+and becomes available for its use. You do not need to use any imported objects directly.
+Note that if both the CRT-based implementation and the JavaScript implementation are available, the SDK will prefer to use the CRT-based implementation for better performance. If you specifically want to use the JavaScript implementation, ensure that the CRT package is not installed or imported.
+
 #### Related issues
 
 1. [S3 Multi-Region Access Point(MRAP) is not available unless with additional dependency](https://github.com/aws/aws-sdk-js-v3/issues/2822)
@@ -372,7 +372,7 @@ esfuture,29`;
         });
         throw new Error("MRAP call in browser should throw");
       } catch (e) {
-        expect(e.message).toContain("only available in Node.js");
+        expect(e.message).toContain("JS SigV4a implementation is not available or not a valid constructor");
       }
     });
   });
 
@@ -0,0 +1,135 @@
+import "@aws-sdk/signature-v4a";
+
+import {
+  CreateBucketCommand,
+  HeadBucketCommand,
+  ListObjectsV2Command,
+  S3Client,
+  waitUntilBucketExists,
+} from "@aws-sdk/client-s3";
+import {
+  CreateMultiRegionAccessPointCommand,
+  DescribeMultiRegionAccessPointOperationCommand,
+  GetMultiRegionAccessPointCommand,
+  Region as S3ControlRegion,
+  S3ControlClient,
+} from "@aws-sdk/client-s3-control";
+import { GetCallerIdentityCommand, STSClient } from "@aws-sdk/client-sts";
+import { afterAll, beforeAll, describe, expect, it, vi } from "vitest";
+
+const MRAP_NAME = "jsv3-e2e-mrap-sigv4a-min";
+const BUCKET_PREFIX = "jsv3-e2e-mrap-sigv4a-min-";
+const REGION_1 = "us-west-2";
+const REGION_2 = "us-east-1";
+const POLLING_DELAY_SECONDS = 10;
+const OPERATION_TIMEOUT_MINUTES = 15;
+
+describe("S3 MRAP SigV4a E2E Test", () => {
+  let s3ControlClient: S3ControlClient;
+  let accountId: string;
+  let mrapArn: string | null = null;
+  let bucket1Name: string;
+  let bucket2Name: string;
+
+  vi.setConfig({ hookTimeout: OPERATION_TIMEOUT_MINUTES * 60 * 1000 });
+
+  const pollOperation = async (requestTokenArn: string): Promise<void> => {
+    const deadline = Date.now() + OPERATION_TIMEOUT_MINUTES * 60 * 1000;
+    while (Date.now() < deadline) {
+      const { AsyncOperation } = await s3ControlClient.send(
+        new DescribeMultiRegionAccessPointOperationCommand({ AccountId: accountId, RequestTokenARN: requestTokenArn })
+      );
+      if (AsyncOperation?.RequestStatus === "SUCCEEDED") return;
+      if (AsyncOperation?.RequestStatus === "FAILED") throw new Error(`S3Control operation failed`);
+      await new Promise((resolve) => setTimeout(resolve, POLLING_DELAY_SECONDS * 1000));
+    }
+    throw new Error("S3Control operation timed out.");
+  };
+
+  const ensureBucket = async (bucketName: string, region: string): Promise<void> => {
+    const s3 = new S3Client({ region });
+    try {
+      await s3.send(new HeadBucketCommand({ Bucket: bucketName }));
+    } catch (error: any) {
+      if (error.name === "NotFound") {
+        await s3.send(new CreateBucketCommand({ Bucket: bucketName }));
+        await waitUntilBucketExists({ client: s3, maxWaitTime: 120 }, { Bucket: bucketName });
+      } else {
+        throw error;
+      }
+    } finally {
+      s3.destroy();
+    }
+  };
+
+  beforeAll(async () => {
+    const stsClient = new STSClient({ region: REGION_1 });
+    s3ControlClient = new S3ControlClient({ region: REGION_1 });
+    try {
+      const { Account } = await stsClient.send(new GetCallerIdentityCommand({}));
+      if (!Account) throw new Error("Could not determine AWS Account ID.");
+      accountId = Account;
+    } finally {
+      stsClient.destroy();
+    }
+
+    bucket1Name = `${BUCKET_PREFIX}${accountId}-${REGION_1}`;
+    bucket2Name = `${BUCKET_PREFIX}${accountId}-${REGION_2}`;
+
+    await ensureBucket(bucket1Name, REGION_1);
+    await ensureBucket(bucket2Name, REGION_2);
+
+    try {
+      const { AccessPoint } = await s3ControlClient.send(
+        new GetMultiRegionAccessPointCommand({ AccountId: accountId, Name: MRAP_NAME })
+      );
+      mrapArn = `arn:aws:s3::${accountId}:accesspoint/${AccessPoint?.Alias}`;
+    } catch (error) {
+      const createResponse = await s3ControlClient.send(
+        new CreateMultiRegionAccessPointCommand({
+          AccountId: accountId,
+          Details: {
+            Name: MRAP_NAME,
+            Regions: [{ Bucket: bucket1Name }, { Bucket: bucket2Name }] as S3ControlRegion[],
+            PublicAccessBlock: {
+              BlockPublicAcls: true,
+              IgnorePublicAcls: true,
+              BlockPublicPolicy: true,
+              RestrictPublicBuckets: true,
+            },
+          },
+        })
+      );
+      if (!createResponse.RequestTokenARN) throw new Error("Create MRAP did not return token.");
+      await pollOperation(createResponse.RequestTokenARN);
+      const { AccessPoint } = await s3ControlClient.send(
+        new GetMultiRegionAccessPointCommand({ AccountId: accountId, Name: MRAP_NAME })
+      );
+      mrapArn = `arn:aws:s3::${accountId}:accesspoint/${AccessPoint?.Alias}`;
+    }
+    if (!mrapArn) throw new Error("Failed to get MRAP ARN.");
+  });
+
+  afterAll(async () => {
+    if (s3ControlClient) s3ControlClient.destroy();
+  });
+
+  it("should successfully ListObjectsV2 against MRAP using SigV4a", async () => {
+    expect(mrapArn).toBeDefined();
+
+    const s3SigV4aClient = new S3Client({ region: REGION_1 });
+
+    try {
+      const command = new ListObjectsV2Command({ Bucket: mrapArn! });
+      const response = await s3SigV4aClient.send(command);
+
+      expect(response.$metadata.httpStatusCode).toBe(200);
+      expect(response.Contents ?? []).toBeInstanceOf(Array);
+    } catch (error) {
+      console.error("ListObjectsV2 against MRAP failed:", error);
+      throw error;
+    } finally {
+      s3SigV4aClient.destroy();
+    }
+  });
+});
@@ -0,0 +1 @@
+/test-browser/browser-build/browser-signature-v4-multi-region-bundle.js
@@ -4,6 +4,7 @@
 [![NPM downloads](https://img.shields.io/npm/dm/@aws-sdk/signature-v4-multi-region.svg)](https://www.npmjs.com/package/@aws-sdk/signature-v4-multi-region)
 
 See also https://github.com/aws/aws-sdk-js-v3/tree/main#functionality-requiring-aws-common-runtime-crt.
+
 ## Usage
 
 This package contains optional dependency [`@aws-sdk/signature-v4-crt`](https://www.npmjs.com/package/@aws-sdk/signature-v4).
@@ -15,12 +16,17 @@ The `@aws-sdk/signature-v4-crt` is only supported in Node.js currently because i
 
 Please refer to [this issue](https://github.com/aws/aws-sdk-js-v3/issues/2822) for more information.
 
+Note: You can also use a native JS (non-CRT) implementation of the SigV4A signer, instructions for which are here:
+https://github.com/aws/aws-sdk-js-v3/tree/main#functionality-requiring-aws-common-runtime-crt
+
+Please refer to the note regarding bundle size in the link above, before deciding to use the JS SigV4A signer (including in browsers).
+
 ## Description
 
 This package provides a SigV4-compatible request signer that wraps a pure-JS SigV4 signer
 ([`@aws-sdk/signature-v4`](https://www.npmjs.com/package/@aws-sdk/signature-v4)) for regional requests, and attempts to
 call a native implementation of SigV4a signer([`@aws-sdk/signature-v4-crt`](https://www.npmjs.com/package/@aws-sdk/signature-v4))
-it the request is not regional.
+it the request is multi-region.
 
-An un-regional request is identified by the `signingRegion` parameter. A region is un-regional if the `signingRegion`
+A multi-region request is identified by the `signingRegion` parameter. A request is multi-region if the `signingRegion`
 parameter is set to `*`.
@@ -5,11 +5,14 @@
     "build": "concurrently 'yarn:build:cjs' 'yarn:build:es' 'yarn:build:types'",
     "build:cjs": "node ../../scripts/compilation/inline signature-v4-multi-region",
     "build:es": "tsc -p tsconfig.es.json",
+    "build:browser": "node ./test-browser/browser-build/esbuild",
     "build:include:deps": "lerna run --scope $npm_package_name --include-dependencies build",
     "build:types": "tsc -p tsconfig.types.json",
     "build:types:downlevel": "downlevel-dts dist-types dist-types/ts3.4",
     "clean": "rimraf ./dist-* && rimraf *.tsbuildinfo",
     "test": "yarn g:vitest run",
+    "test:e2e": "yarn g:vitest run -c vitest.config.e2e.ts",
+    "test:browser": "yarn build:browser && yarn g:vitest run -c vitest.config.browser.ts",
     "test:watch": "yarn g:vitest watch"
   },
   "main": "./dist-cjs/index.js",
 
@@ -0,0 +1,78 @@
+import { HttpRequest } from "@smithy/protocol-http";
+import { Checksum } from "@smithy/types";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+
+import { SignatureV4MultiRegion } from "../test-browser/browser-build/browser-signature-v4-multi-region-bundle.js";
+
+describe("SignatureV4MultiRegion (Browser Bundle SigV4a Test)", () => {
+  const credentials = {
+    accessKeyId: "AKID",
+    secretAccessKey: "SECRET",
+  };
+  const region = "us-west-2";
+  const service = "s3";
+
+  const minimalRequest = new HttpRequest({
+    method: "POST",
+    protocol: "https:",
+    hostname: "example.com",
+    path: "/",
+    headers: {
+      host: "example.com",
+    },
+    body: "something",
+  });
+
+  class MockSha256 implements Checksum {
+    private hash = "hash of body";
+    async digest() {
+      return Buffer.from(this.hash, "hex");
+    }
+    update() {
+      // No-op
+    }
+    reset() {
+      // No-op
+    }
+  }
+
+  const baseSignerParams = {
+    credentials,
+    region,
+    service,
+    sha256: MockSha256,
+    runtime: "browser",
+  };
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it("should use SigV4a for the request when signingRegion is '*' (JS implementation is available in bundle)", async () => {
+    const signer = new SignatureV4MultiRegion(baseSignerParams);
+    const signedRequest = await signer.sign(minimalRequest, { signingRegion: "*" });
+    const signedHeaders = signedRequest.headers;
+    expect(signedHeaders).toHaveProperty("authorization");
+    const authHeader = signedHeaders.authorization;
+    expect(authHeader).toContain("AWS4-ECDSA-P256-SHA256");
+    expect(authHeader).toContain("SignedHeaders=");
+    expect(signedHeaders).toHaveProperty("x-amz-region-set", "*");
+  });
+
+  it("should throw error when signingRegion is '*' and JS implementation is NOT available (Covered in Unit Tests)", async () => {
+    // NOTE: This test case describes the expected behavior but cannot be reliably executed
+    // against the current browser bundle (`browser-signature-v4-multi-region-bundle.js`).
+    // The `esbuild` configuration (`inject: ["inject-sigv4a.js"]`) forces the SigV4a
+    // implementation to be included in this bundle, populating the internal
+    // `signatureV4aContainer`.
+
+    // The logic for throwing this error is tested in the source unit tests
+    // (`SignatureV4MultiRegion.spec.ts`), where the container can be mocked
+    // by setting `signatureV4aContainer.SignatureV4a = null;`.
+    expect(true).toBe(true); // Placeholder assertion
+    console.warn(
+      "Skipping actual test execution for 'JS SigV4a implementation not available' scenario against the bundle. " +
+        "This scenario is covered in source unit tests."
+    );
+  });
+});
Original file line number	Diff line number	Diff line change
@@ -372,7 +372,7 @@ esfuture,29`;
`372`	`372`	`});`
`373`	`373`	`throw new Error("MRAP call in browser should throw");`
`374`	`374`	`} catch (e) {`
`375`		`- expect(e.message).toContain("only available in Node.js");`
	`375`	`+ expect(e.message).toContain("JS SigV4a implementation is not available or not a valid constructor");`
`376`	`376`	`}`
`377`	`377`	`});`
`378`	`378`	`});`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+/test-browser/browser-build/browser-signature-v4-multi-region-bundle.js`