Documentation for AWS Credentials Providers support (#6908)

ardatan · web-flow · commit b1a6a426ed44 · 2025-08-04T20:39:04.000Z
diff --git a/packages/web/docs/src/content/gateway/other-features/security/aws-sigv4.mdx b/packages/web/docs/src/content/gateway/other-features/security/aws-sigv4.mdx
@@ -2,6 +2,8 @@
 searchable: false
 ---
 
+import { Callout } from '@theguild/components'
+
 # AWS Signature Version 4 (SigV4)
 
 Hive Gateway allows you to sign subgraph requests with
@@ -26,14 +28,14 @@ flowchart TD
 
 ### How to use?
 
-You can enable AWS SigV4 signing by setting the `awsSigV4.outgoing` option to `true` in the Gateway
+You can enable AWS SigV4 signing by setting the `awsSigv4.outgoing` option to `true` in the Gateway
 configuration.
 
 ```ts filename="gateway.config.ts"
 import { defineConfig } from '@graphql-hive/gateway'
 
 export const gatewayConfig = defineConfig({
-  awsSigV4: {
+  awsSigv4: {
     outgoing: true
   }
 })
@@ -48,7 +50,7 @@ you can also provide the credentials directly in the configuration.
 import { defineConfig } from '@graphql-hive/gateway'
 
 export const gatewayConfig = defineConfig({
-  awsSigV4: {
+  awsSigv4: {
     outgoing: {
       accessKeyId: process.env.AWS_ACCESS_KEY_ID,
       secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
@@ -66,7 +68,7 @@ You can provide the `roleArn` and `roleSessionName` to assume a role using the p
 import { defineConfig } from '@graphql-hive/gateway'
 
 export const gatewayConfig = defineConfig({
-  awsSigV4: {
+  awsSigv4: {
     outgoing: {
       region: process.env.AWS_REGION,
       // By default it takes the credentials from the environment variables
@@ -77,6 +79,28 @@ export const gatewayConfig = defineConfig({
 })
 ```
 
+#### Other credential providers
+
+You can use AWS SDK's credential providers from
+[`@aws-sdk/credential-providers`](https://www.npmjs.com/package/@aws-sdk/credential-providers) such
+as SSO support etc.
+
+```ts filename="gateway.config.ts"
+import { fromNodeProviderChain } from '@aws-sdk/credential-providers'
+import { defineConfig } from '@graphql-hive/gateway'
+
+export const gatewayConfig = defineConfig({
+  awsSigv4: {
+    outgoing: fromNodeProviderChain()
+  }
+})
+```
+
+<Callout>
+  Learn more about the available credential providers in the [AWS SDK for JavaScript v3
+  documentation](https://www.npmjs.com/package/@aws-sdk/credential-providers).
+</Callout>
+
 ### Service and region configuration
 
 By default, the plugin extracts the service and region from the URL of the subgraph. But you can
@@ -86,7 +110,7 @@ also provide the service and region directly in the configuration.
 import { defineConfig } from '@graphql-hive/gateway'
 
 export const gatewayConfig = defineConfig({
-  awsSigV4: {
+  awsSigv4: {
     outgoing: {
       accessKeyId: process.env.AWS_ACCESS_KEY_ID,
       secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
@@ -100,14 +124,14 @@ export const gatewayConfig = defineConfig({
 
 ### Subgraph-specific configuration
 
-You can also configure the SigV4 signing for specific subgraphs by setting the `awsSigV4` option in
+You can also configure the SigV4 signing for specific subgraphs by setting the `awsSigv4` option in
 the subgraph configuration.
 
 ```ts filename="gateway.config.ts"
 import { defineConfig } from '@graphql-hive/gateway'
 
 export const gatewayConfig = defineConfig({
-  awsSigV4: {
+  awsSigv4: {
     // Allowing SigV4 signing for only the 'products' subgraph
     outgoing: subgraph => subgraph === 'products'
   }
@@ -120,7 +144,7 @@ or you can provide the credentials directly per subgraph.
 import { defineConfig } from '@graphql-hive/gateway'
 
 export const gatewayConfig = defineConfig({
-  awsSigV4: {
+  awsSigv4: {
     // Providing AWS SigV4 credentials for the 'products' and 'users' subgraphs separately
     // And do not allow SigV4 signing for any other subgraph
     outgoing(subgraph) {
@@ -159,7 +183,7 @@ configuration.
 import { defineConfig } from '@graphql-hive/gateway'
 
 export const gatewayConfig = defineConfig({
-  awsSigV4: {
+  awsSigv4: {
     incoming: {
       // Hard-coded secret
       secretAccessKey: () => process.env.AWS_SECRET_ACCESS_KEY,
@@ -187,7 +211,7 @@ authentication, otherwise, the request will be validated with AWS SigV4.
 import { defineConfig } from '@graphql-hive/gateway'
 
 export const gatewayConfig = defineConfig({
-  awsSigV4: {
+  awsSigv4: {
     incoming: {
       enabled: (request, context) =>
         !('jwt' in context) && !request.headers.get('authorization')?.startsWith('Bearer')
