declare local var.awsAccessKey STRING;
declare local var.awsSecretKey STRING;
declare local var.awsS3Bucket STRING;
declare local var.awsRegion STRING;
declare local var.canonicalHeaders STRING;
declare local var.signedHeaders STRING;
declare local var.canonicalRequest STRING;
declare local var.canonicalQuery STRING;
declare local var.stringToSign STRING;
declare local var.dateStamp STRING;
declare local var.signature STRING;
declare local var.scope STRING;

// These credentials are intentionally leaked here to allow this
// feature to be demoed in a fiddle.  If you use Fiddle to test
// backend services that require authentication, be aware that
// the contents of Fiddles is public
set var.awsAccessKey = "AKIAIYV3R5KWHXJKD4QQ";
set var.awsSecretKey = "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"; # This is a real secret key, so we can demo this solution, but we're aware that we're compromising it by publishing it here.  Don't make your own secret key public!
set var.awsS3Bucket = "demo-s3-fiddle-origin";
set var.awsRegion = "us-east-2";

if (req.method == "GET" && !req.backend.is_shield) {

  set bereq.http.x-amz-content-sha256 = digest.hash_sha256("");
  set bereq.http.x-amz-date = strftime({"%Y%m%dT%H%M%SZ"}, now);
  set bereq.http.host = var.awsS3Bucket + ".s3." + var.awsRegion + ".amazonaws.com";
  set bereq.url = querystring.remove(bereq.url);
  set bereq.url = regsuball(urlencode(urldecode(bereq.url.path)), {"%2F"}, "/");
  set var.dateStamp = strftime({"%Y%m%d"}, now);
  set var.canonicalHeaders = "" +
    "host:" + bereq.http.host + LF +
    "x-amz-content-sha256:" + bereq.http.x-amz-content-sha256 + LF +
    "x-amz-date:" + bereq.http.x-amz-date + LF
  ;
  set var.canonicalQuery = "";
  set var.signedHeaders = "host;x-amz-content-sha256;x-amz-date";
  set var.canonicalRequest = "" +
    "GET" + LF +
    bereq.url.path + LF +
    var.canonicalQuery + LF +
    var.canonicalHeaders + LF +
    var.signedHeaders + LF +
    digest.hash_sha256("")
  ;

  set var.scope = var.dateStamp + "/" + var.awsRegion + "/s3/aws4_request";

  set var.stringToSign = "" +
    "AWS4-HMAC-SHA256" + LF +
    bereq.http.x-amz-date + LF +
    var.scope + LF +
    regsub(digest.hash_sha256(var.canonicalRequest),"^0x", "")
  ;

  set var.signature = digest.awsv4_hmac(
    var.awsSecretKey,
    var.dateStamp,
    var.awsRegion,
    "s3",
    var.stringToSign
  );

  set bereq.http.Authorization = "AWS4-HMAC-SHA256 " +
    "Credential=" + var.awsAccessKey + "/" + var.scope + ", "
    "SignedHeaders=" + var.signedHeaders + ", " +
    "Signature=" + regsub(var.signature,"^0x", "")
  ;
  unset bereq.http.Accept;
  unset bereq.http.Accept-Language;
  unset bereq.http.User-Agent;
  unset bereq.http.Fastly-Client-IP;
}