feat: add AWS SigV4 request signing support

[ajcasagrande]

Add a request_signer plugin category with SigV4 implementation using botocore. Transports sign requests via _sign_if_needed() hook, replacing Bearer token auth when --auth-type is set. Includes CLI options (--auth-type, --aws-region, --aws-service, --aws-profile), config validation, plugin registry entries, and full test coverage.

Summary by CodeRabbit

Release Notes

• New Features

  • Added AWS SigV4 request signing for authenticating API calls to AWS endpoints including API Gateway, SageMaker, and Bedrock.
  • New CLI options: --auth-type, --aws-region, --aws-service, and --aws-profile for configuring SigV4 authentication.
  • Optional AWS dependencies available via pip install aiperf[aws].

• Documentation

  • Added AWS SigV4 authentication tutorial with setup instructions, usage examples, and troubleshooting guidance.

[github-actions]

Try out this PR

Quick install:

pip install --upgrade --force-reinstall git+https://github.com/ai-dynamo/aiperf.git@e2151cd80488d2901f20f1fc43a489569bcdadd6

Recommended with virtual environment (using uv):

uv venv --python 3.12 && source .venv/bin/activate
uv pip install --upgrade --force-reinstall git+https://github.com/ai-dynamo/aiperf.git@e2151cd80488d2901f20f1fc43a489569bcdadd6

---

Last updated for commit: e2151cd • Browse code

[ajcasagrande]

@dferguson992 @Lokiiiiii please take a look when you get a chance. thanks!

[coderabbitai]

Walkthrough

This PR introduces AWS Signature Version 4 (SigV4) authentication support to aiperf. It adds a request signer protocol, SigV4 implementation using botocore, new CLI options and configuration fields, plugin system integration, transport-level signing hooks, and comprehensive documentation with tutorials and tests.

Changes

Cohort / File(s)	Summary
Ignore Rules & Documentation Links .gitignore, README.md	Added ignore patterns for docs/superpowers/* and two new tutorial links to AWS SigV4 authentication guide.
CLI Options & Tutorials docs/cli-options.md, docs/tutorials/aws-sigv4-auth.md	Documented new CLI flags (--auth-type, --aws-region, --aws-service, --aws-profile) and added comprehensive AWS SigV4 benchmarking guide with prerequisites, examples, and troubleshooting.
Dependency Management pyproject.toml	Added optional dependency group aws with botocore>=1.34.0.
Authentication Module src/aiperf/auth/__init__.py, src/aiperf/auth/base_signer.py, src/aiperf/auth/sigv4_signer.py	Introduced new auth package with RequestSignerProtocol, SignedRequest dataclass, and SigV4RequestSigner implementation using botocore credentials chain.
Plugin System Integration src/aiperf/plugin/enums.py, src/aiperf/plugin/categories.yaml, src/aiperf/plugin/plugins.py, src/aiperf/plugin/plugins.yaml, src/aiperf/plugin/schema/plugins.schema.json	Added RequestSignerType enum, request_signer category and plugin definitions, type-checked overloads for plugin discovery, and schema updates.
Configuration Models src/aiperf/common/config/endpoint_config.py, src/aiperf/common/models/model_endpoint_info.py	Added auth_type, aws_region, aws_service, and aws_profile fields with validation ensuring required fields when SigV4 is selected.
Transport Layer src/aiperf/transports/base_transports.py, src/aiperf/transports/aiohttp_transport.py, src/aiperf/endpoints/base_endpoint.py	Integrated signer instantiation and lifecycle management in BaseTransport, added _sign_if_needed helper, applied signing before HTTP requests in AioHttpTransport, and updated Authorization header logic.
Unit Tests tests/unit/auth/..., tests/unit/transports/...	Added comprehensive tests for SignedRequest, RequestSignerProtocol, SigV4RequestSigner (credentials, signing), and AioHttpTransport signing behavior with mocked dependencies.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~35 minutes

Poem

🐰 A carrot's worth of AWS SigV4,
New signing hops through the transport door,
Credentials dance with botocore's grace,
Bedrock, SageMaker, every endpoint's place,
Authentication blooms in the plugin space! 🔐

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 34.04% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: add AWS SigV4 request signing support' directly and clearly summarizes the main feature introduced: AWS SigV4 request signing capability.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (3)

tests/unit/auth/test_base_signer.py (2)

31-34: Use a behavioral runtime-checkability assertion instead of protocol internals.

The assertion on Line 32-34 depends on implementation internals and can be brittle. Prefer asserting isinstance(dummy, RequestSignerProtocol) with a minimal compliant dummy signer.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/unit/auth/test_base_signer.py` around lines 31 - 34, Replace the
brittle internal-attribute assertion in test_protocol_is_runtime_checkable by
creating a minimal dummy class implementing the protocol methods/attributes
required by RequestSignerProtocol and assert isinstance(dummy,
RequestSignerProtocol); specifically, implement a small DummySigner with the
same public method signatures used by RequestSignerProtocol and use
isinstance(dummy, RequestSignerProtocol) in the test instead of checking
__protocol_attrs__ or __abstractmethods__ to verify runtime checkability.

---

9-32: Align test names with repository convention.

Names like Line 9 (test_headers_only) and Line 31 (test_protocol_is_runtime_checkable) should follow test_<function>_<scenario>_<expected>.

As per coding guidelines tests/**/*.py: Test naming convention: test_<function>_<scenario>_<expected>.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/unit/auth/test_base_signer.py` around lines 9 - 32, Rename tests to
match the repository convention test_<function>_<scenario>_<expected>: update
test_headers_only to something like
test_SignedRequest_headers_only_url_and_body_none, test_all_fields to
test_SignedRequest_all_fields_preserved, and test_slots to
test_SignedRequest_slots_prevent_dynamic_attrs; likewise rename
test_protocol_is_runtime_checkable (in TestRequestSignerProtocol) to
test_RequestSignerProtocol_runtime_checkable; update any references/imports or
test markers accordingly for SignedRequest, RequestSignerProtocol, and
TestRequestSignerProtocol to keep tests discoverable.

tests/unit/auth/test_sigv4_signer.py (1)

40-205: Rename test functions to the required pattern.

Several test names (for example on Line 40 and Line 144) don’t follow the required test_<function>_<scenario>_<expected> format.

Proposed rename examples

-    def test_stores_config(self) -> None:
+    def test___init___with_explicit_aws_fields_stores_values(self) -> None:

-    async def test_sign_adds_authorization_header(self) -> None:
+    async def test_sign_with_sigv4_adds_authorization_header(self) -> None:

As per coding guidelines tests/**/*.py: Test naming convention: test_<function>_<scenario>_<expected>.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/unit/auth/test_sigv4_signer.py` around lines 40 - 205, One or more test
functions do not follow the required naming pattern
test_<function>_<scenario>_<expected> (e.g., test_stores_config); locate
offending test functions such as test_stores_config and any other methods that
don’t match the pattern and rename them to the required format (for example
test_init_model_endpoint_stores_config_values), updating any references where
they’re invoked; ensure class names (TestSigV4RequestSignerInitCredentials,
TestSigV4RequestSignerSign) remain unchanged and run the test suite to confirm
names are accepted.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.gitignore:
- Around line 38-40: The new .gitignore entry "docs/superpowers/*" is unrelated
to the SigV4 signing work; either remove that line from this PR or revert it and
place it in a separate, focused PR that documents why docs/superpowers should be
ignored. Locate the ".gitignore" change that adds "docs/superpowers/*", revert
that single entry from this branch (or move it into a new branch/PR) and keep
this PR limited to the AWS SigV4 request signing changes only.

In `@docs/tutorials/aws-sigv4-auth.md`:
- Around line 94-98: The fenced code block that contains the URL
"https://abc123.execute-api.us-east-1.amazonaws.com/..." is missing a language
tag which triggers markdownlint MD040; update that fence (the triple-backtick
that opens the block) to include a language specifier such as "text" (e.g.,
change ``` to ```text) so the snippet is properly labeled and lint-clean.

---

Nitpick comments:
In `@tests/unit/auth/test_base_signer.py`:
- Around line 31-34: Replace the brittle internal-attribute assertion in
test_protocol_is_runtime_checkable by creating a minimal dummy class
implementing the protocol methods/attributes required by RequestSignerProtocol
and assert isinstance(dummy, RequestSignerProtocol); specifically, implement a
small DummySigner with the same public method signatures used by
RequestSignerProtocol and use isinstance(dummy, RequestSignerProtocol) in the
test instead of checking __protocol_attrs__ or __abstractmethods__ to verify
runtime checkability.
- Around line 9-32: Rename tests to match the repository convention
test_<function>_<scenario>_<expected>: update test_headers_only to something
like test_SignedRequest_headers_only_url_and_body_none, test_all_fields to
test_SignedRequest_all_fields_preserved, and test_slots to
test_SignedRequest_slots_prevent_dynamic_attrs; likewise rename
test_protocol_is_runtime_checkable (in TestRequestSignerProtocol) to
test_RequestSignerProtocol_runtime_checkable; update any references/imports or
test markers accordingly for SignedRequest, RequestSignerProtocol, and
TestRequestSignerProtocol to keep tests discoverable.

In `@tests/unit/auth/test_sigv4_signer.py`:
- Around line 40-205: One or more test functions do not follow the required
naming pattern test_<function>_<scenario>_<expected> (e.g., test_stores_config);
locate offending test functions such as test_stores_config and any other methods
that don’t match the pattern and rename them to the required format (for example
test_init_model_endpoint_stores_config_values), updating any references where
they’re invoked; ensure class names (TestSigV4RequestSignerInitCredentials,
TestSigV4RequestSignerSign) remain unchanged and run the test suite to confirm
names are accepted.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 30acc727-bb7a-422b-8950-e744e35f2787

📥 Commits

Reviewing files that changed from the base of the PR and between a23690a and e2151cd.

📒 Files selected for processing (23)

• .gitignore
• README.md
• docs/cli-options.md
• docs/tutorials/aws-sigv4-auth.md
• pyproject.toml
• src/aiperf/auth/__init__.py
• src/aiperf/auth/base_signer.py
• src/aiperf/auth/sigv4_signer.py
• src/aiperf/common/config/endpoint_config.py
• src/aiperf/common/models/model_endpoint_info.py
• src/aiperf/endpoints/base_endpoint.py
• src/aiperf/plugin/categories.yaml
• src/aiperf/plugin/enums.py
• src/aiperf/plugin/plugins.py
• src/aiperf/plugin/plugins.yaml
• src/aiperf/plugin/schema/plugins.schema.json
• src/aiperf/transports/aiohttp_transport.py
• src/aiperf/transports/base_transports.py
• tests/unit/auth/__init__.py
• tests/unit/auth/test_base_signer.py
• tests/unit/auth/test_sigv4_signer.py
• tests/unit/transports/conftest.py
• tests/unit/transports/test_aiohttp_transport_signing.py

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Clarify the relevance of this change to the PR.

This addition ignores the docs/superpowers/* directory, but the PR objectives focus on adding AWS SigV4 request signing support. It's unclear why this unrelated gitignore entry is included in this PR. Consider moving unrelated changes to a separate PR to keep the scope focused.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.gitignore around lines 38 - 40, The new .gitignore entry
"docs/superpowers/*" is unrelated to the SigV4 signing work; either remove that
line from this PR or revert it and place it in a separate, focused PR that
documents why docs/superpowers should be ignored. Locate the ".gitignore" change
that adds "docs/superpowers/*", revert that single entry from this branch (or
move it into a new branch/PR) and keep this PR limited to the AWS SigV4 request
signing changes only.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add a language to the fenced code block.

The block on Line 94 is missing a language specifier (markdownlint MD040).

Proposed fix

-```
+```text
 https://abc123.execute-api.us-east-1.amazonaws.com/...
                            ^^^^^^^^^
                            this is your --aws-region

</details>

<!-- suggestion_start -->

<details>
<summary>📝 Committable suggestion</summary>

> ‼️ **IMPORTANT**
> Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

```suggestion

🧰 Tools

🪛 markdownlint-cli2 (0.21.0)

[warning] 94-94: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/tutorials/aws-sigv4-auth.md` around lines 94 - 98, The fenced code block
that contains the URL "https://abc123.execute-api.us-east-1.amazonaws.com/..."
is missing a language tag which triggers markdownlint MD040; update that fence
(the triple-backtick that opens the block) to include a language specifier such
as "text" (e.g., change ``` to ```text) so the snippet is properly labeled and
lint-clean.