apollographql · dylan-apollo · Jun 20, 2025 · Jun 18, 2025 · Jun 18, 2025 · Jun 18, 2025
diff --git a/.changesets/fix_mantel_headband_iced_move.md b/.changesets/fix_mantel_headband_iced_move.md
@@ -0,0 +1,5 @@
+### Fix issue loading SigV4 config ([PR #7726](https://github.com/apollographql/router/pull/7726))
+
+Fixed an issue introduced in Router 2.3.0 where some SigV4 configurations would fail to start.
+
+By [@dylan-apollo](https://github.com/dylan-apollo) in https://github.com/apollographql/router/pull/7726
@@ -16,7 +16,9 @@ use aws_smithy_async::rt::sleep::TokioSleep;
 use aws_smithy_async::time::SystemTimeSource;
 use aws_smithy_http_client::tls::Provider;
 use aws_smithy_http_client::tls::rustls_provider::CryptoMode;
+use aws_smithy_runtime_api::client::behavior_version::BehaviorVersion;
 use aws_smithy_runtime_api::client::identity::Identity;
+use aws_types::SdkConfig;
 use aws_types::region::Region;
 use aws_types::sdk_config::SharedCredentialsProvider;
 use http::HeaderMap;
@@ -111,6 +113,18 @@ impl AWSSigV4Config {
         let role_provider_builder = self.assume_role().map(|assume_role_provider| {
             let rp =
                 aws_config::sts::AssumeRoleProvider::builder(assume_role_provider.role_arn.clone())
+                    .configure(
+                        &SdkConfig::builder()
+                            .http_client(
+                                aws_smithy_http_client::Builder::new()
+                                    .tls_provider(Provider::Rustls(CryptoMode::Ring))
+                                    .build_https(),
+                            )
+                            .sleep_impl(TokioSleep::new())
+                            .time_source(SystemTimeSource::new())
+                            .behavior_version(BehaviorVersion::latest())
+                            .build(),
+                    )
                     .session_name(assume_role_provider.session_name.clone())
                     .region(region.clone());
             if let Some(external_id) = &assume_role_provider.external_id {

@@ -36,8 +36,8 @@ mod apq {
 
         router.start().await;
         router
-        .wait_for_log_message(r#""subgraph":"connectors","message":"plugin `apq` indirectly targets a connector-enabled subgraph, which is not supported"#)
-        .await;
+            .wait_for_log_message(r#""subgraph":"connectors","message":"plugin `apq` indirectly targets a connector-enabled subgraph, which is not supported"#)
+            .await;
 
         Ok(())
     }
@@ -76,8 +76,8 @@ mod apq {
 
         router.start().await;
         router
-        .wait_for_log_message(r#""subgraph":"connectors","message":"plugin `apq` is explicitly configured for connector-enabled subgraph"#)
-        .await;
+            .wait_for_log_message(r#""subgraph":"connectors","message":"plugin `apq` is explicitly configured for connector-enabled subgraph"#)
+            .await;
 
         Ok(())
     }
@@ -126,9 +126,12 @@ mod apq {
 mod authentication {
     use std::path::PathBuf;
 
+    use serde_json::Value;
+    use serde_json::json;
     use tower::BoxError;
 
     use crate::integration::IntegrationTest;
+    use crate::integration::common::Query;
 
     #[tokio::test(flavor = "multi_thread")]
     async fn incompatible_warnings_on_all() -> Result<(), BoxError> {
@@ -212,8 +215,8 @@ mod authentication {
 
         router.start().await;
         router
-        .wait_for_log_message(r#""subgraphs":"connectors","message":"plugin `authentication` is enabled for connector-enabled subgraphs"#)
-        .await;
+            .wait_for_log_message(r#""subgraphs":"connectors","message":"plugin `authentication` is enabled for connector-enabled subgraphs"#)
+            .await;
 
         Ok(())
     }
@@ -266,8 +269,8 @@ mod authentication {
 
         router.start().await;
         router
-        .wait_for_log_message(r#""subgraph":"connectors","sources":"jsonPlaceholder","message":"plugin `authentication` is enabled for a connector-enabled subgraph"#)
-        .await;
+            .wait_for_log_message(r#""subgraph":"connectors","sources":"jsonPlaceholder","message":"plugin `authentication` is enabled for a connector-enabled subgraph"#)
+            .await;
 
         Ok(())
     }
@@ -320,11 +323,47 @@ mod authentication {
 
         router.start().await;
         router
-        .assert_log_not_contains(r#""subgraph":"connectors","sources":"jsonPlaceholder","message":"plugin `authentication` is enabled for a connector-enabled subgraph"#)
-        .await;
+            .assert_log_not_contains(r#""subgraph":"connectors","sources":"jsonPlaceholder","message":"plugin `authentication` is enabled for a connector-enabled subgraph"#)
+            .await;
 
         Ok(())
     }
+
+    #[tokio::test(flavor = "multi_thread")]
+    #[cfg_attr(not(feature = "ci"), ignore)]
+    async fn test_aws_sig_v4_signing() {
+        let mut router = IntegrationTest::builder()
+            .config(include_str!("fixtures/connectors_sigv4.router.yaml"))
+            .supergraph(PathBuf::from(
+                "tests/integration/fixtures/connectors_sigv4.graphql",
+            ))
+            .build()
+            .await;
+
+        router.start().await;
+        router.assert_started().await;
+
+        let (_, response) = router
+            .execute_query(
+                Query::builder()
+                    .body(json! ({"query": "query { instances }"}))
+                    .build(),
+            )
+            .await;
+        let body: Value = response.json().await.unwrap();
+        router.graceful_shutdown().await;
+        let body = body.as_object().expect("Response body should be object");
+        let errors = body.get("errors");
+        assert!(errors.is_none(), "query generated errors: {errors:?}");
+        let me = body
+            .get("data")
+            .expect("Response body should have data")
+            .as_object()
+            .expect("Data should be object")
+            .get("instances")
+            .expect("Data should have instances");
+        assert!(me.is_null());
+    }
 }
 
 mod batching {
@@ -367,8 +406,8 @@ mod batching {
 
         router.start().await;
         router
-        .wait_for_log_message(r#""subgraph":"connectors","message":"plugin `batching` indirectly targets a connector-enabled subgraph, which is not supported"#)
-        .await;
+            .wait_for_log_message(r#""subgraph":"connectors","message":"plugin `batching` indirectly targets a connector-enabled subgraph, which is not supported"#)
+            .await;
 
         Ok(())
     }
@@ -409,8 +448,8 @@ mod batching {
 
         router.start().await;
         router
-        .wait_for_log_message(r#""subgraph":"connectors","message":"plugin `batching` is explicitly configured for connector-enabled subgraph"#)
-        .await;
+            .wait_for_log_message(r#""subgraph":"connectors","message":"plugin `batching` is explicitly configured for connector-enabled subgraph"#)
+            .await;
 
         Ok(())
     }
@@ -497,8 +536,8 @@ mod coprocessor {
 
         router.start().await;
         router
-        .wait_for_log_message(r#""subgraphs":"connectors","message":"coprocessors which hook into `subgraph_request` or `subgraph_response`"#)
-        .await;
+            .wait_for_log_message(r#""subgraphs":"connectors","message":"coprocessors which hook into `subgraph_request` or `subgraph_response`"#)
+            .await;
 
         Ok(())
     }
@@ -534,8 +573,8 @@ mod coprocessor {
 
         router.start().await;
         router
-        .assert_log_not_contains(r#""subgraphs":"connectors","message":"coprocessors which hook into `subgraph_request` or `subgraph_response`"#)
-        .await;
+            .assert_log_not_contains(r#""subgraphs":"connectors","message":"coprocessors which hook into `subgraph_request` or `subgraph_response`"#)
+            .await;
 
         Ok(())
     }
@@ -580,8 +619,8 @@ mod entity_cache {
 
         router.start().await;
         router
-        .wait_for_log_message(r#""subgraph":"connectors","message":"plugin `preview_entity_cache` indirectly targets a connector-enabled subgraph, which is not supported"#)
-        .await;
+            .wait_for_log_message(r#""subgraph":"connectors","message":"plugin `preview_entity_cache` indirectly targets a connector-enabled subgraph, which is not supported"#)
+            .await;
 
         Ok(())
     }
@@ -621,8 +660,8 @@ mod entity_cache {
 
         router.start().await;
         router
-        .wait_for_log_message(r#""subgraph":"connectors","message":"plugin `preview_entity_cache` is explicitly configured for connector-enabled subgraph"#)
-        .await;
+            .wait_for_log_message(r#""subgraph":"connectors","message":"plugin `preview_entity_cache` is explicitly configured for connector-enabled subgraph"#)
+            .await;
 
         Ok(())
     }
@@ -712,8 +751,8 @@ mod headers {
 
         router.start().await;
         router
-        .wait_for_log_message(r#""subgraph":"connectors","message":"plugin `headers` indirectly targets a connector-enabled subgraph"#)
-        .await;
+            .wait_for_log_message(r#""subgraph":"connectors","message":"plugin `headers` indirectly targets a connector-enabled subgraph"#)
+            .await;
 
         Ok(())
     }
@@ -753,8 +792,8 @@ mod headers {
 
         router.start().await;
         router
-        .wait_for_log_message(r#""subgraph":"connectors","message":"plugin `headers` is explicitly configured for connector-enabled subgraph"#)
-        .await;
+            .wait_for_log_message(r#""subgraph":"connectors","message":"plugin `headers` is explicitly configured for connector-enabled subgraph"#)
+            .await;
 
         Ok(())
     }
@@ -796,8 +835,8 @@ mod rhai {
 
         router.start().await;
         router
-        .wait_for_log_message(r#""subgraphs":"connectors","message":"rhai scripts which hook into `subgraph_request` or `subgraph_response`"#)
-        .await;
+            .wait_for_log_message(r#""subgraphs":"connectors","message":"rhai scripts which hook into `subgraph_request` or `subgraph_response`"#)
+            .await;
 
         Ok(())
     }
@@ -843,8 +882,8 @@ mod telemetry {
 
         router.start().await;
         router
-        .wait_for_log_message(r#""subgraph":"connectors","message":"plugin `telemetry` is indirectly configured to send errors to Apollo studio for a connector-enabled subgraph, which is only supported when `preview_extended_error_metrics` is enabled"#)
-        .await;
+            .wait_for_log_message(r#""subgraph":"connectors","message":"plugin `telemetry` is indirectly configured to send errors to Apollo studio for a connector-enabled subgraph, which is only supported when `preview_extended_error_metrics` is enabled"#)
+            .await;
 
         Ok(())
     }
@@ -885,8 +924,8 @@ mod telemetry {
 
         router.start().await;
         router
-        .wait_for_log_message(r#""subgraph":"connectors","message":"plugin `telemetry` is explicitly configured to send errors to Apollo studio for connector-enabled subgraph, which is only supported when `preview_extended_error_metrics` is enabled"#)
-        .await;
+            .wait_for_log_message(r#""subgraph":"connectors","message":"plugin `telemetry` is explicitly configured to send errors to Apollo studio for connector-enabled subgraph, which is only supported when `preview_extended_error_metrics` is enabled"#)
+            .await;
 
         Ok(())
     }
@@ -1016,8 +1055,8 @@ mod tls {
 
         router.start().await;
         router
-        .wait_for_log_message(r#""subgraph":"connectors","message":"The `tls` plugin is explicitly configured for a subgraph containing connectors, which is not supported. Instead, configure the connector sources directly using `tls.connector.sources.<subgraph_name>.<source_name>`."#)
-        .await;
+            .wait_for_log_message(r#""subgraph":"connectors","message":"The `tls` plugin is explicitly configured for a subgraph containing connectors, which is not supported. Instead, configure the connector sources directly using `tls.connector.sources.<subgraph_name>.<source_name>`."#)
+            .await;
 
         Ok(())
     }
@@ -1061,8 +1100,8 @@ mod traffic_shaping {
 
         router.start().await;
         router
-        .wait_for_log_message(r#""subgraph":"connectors","message":"The `traffic_shaping` plugin is explicitly configured for a subgraph containing connectors, which is not supported. Instead, configure the connector sources directly using `traffic_shaping.connector.sources.<subgraph_name>.<source_name>`."#)
-        .await;
+            .wait_for_log_message(r#""subgraph":"connectors","message":"The `traffic_shaping` plugin is explicitly configured for a subgraph containing connectors, which is not supported. Instead, configure the connector sources directly using `traffic_shaping.connector.sources.<subgraph_name>.<source_name>`."#)
+            .await;
 
         Ok(())
     }
@@ -1104,8 +1143,8 @@ mod url_override {
 
         router.start().await;
         router
-        .wait_for_log_message(r#""subgraph":"connectors","message":"overriding a subgraph URL for a connectors-enabled subgraph is not supported"#)
-        .await;
+            .wait_for_log_message(r#""subgraph":"connectors","message":"overriding a subgraph URL for a connectors-enabled subgraph is not supported"#)
+            .await;
 
         Ok(())
     }