aws · AlexDaines · Sep 29, 2025 · Oct 1, 2025 · Oct 2, 2025 · Oct 2, 2025
diff --git a/extensions/test/CrtIntegrationTests/V4aSignerTests.cs b/extensions/test/CrtIntegrationTests/V4aSignerTests.cs
@@ -136,6 +136,36 @@ internal static IRequest BuildHeaderRequestToSign(string resourcePath, Dictionar
             return request;
         }
 
+        /// <summary>
+        /// Dummy request class needed for DefaultRequest constructor
+        /// </summary>
+        private class DummyRequest : AmazonWebServiceRequest { }
+
+        /// <summary>
+        /// Creates a test request with mutable collections to verify header modifications
+        /// during signing.
+        /// </summary>
+        internal static IRequest CreateDefaultRequest(string resourcePath)
+        {
+            var publicRequest = new DummyRequest();
+            var request = new DefaultRequest(publicRequest, SigningTestService)
+            {
+                HttpMethod = "POST",
+                ResourcePath = resourcePath,
+                Endpoint = new Uri($"https://{SigningTestHost}/"),
+                Content = Encoding.ASCII.GetBytes("Param1=value1")
+            };
+
+            request.Headers["Content-Type"] = "application/x-www-form-urlencoded";
+            request.Headers["Content-Length"] = "13";
+            // Add SDK tracking headers that should NOT be signed
+            request.Headers["amz-sdk-request"] = "attempt=1; max=5";
+            request.Headers["amz-sdk-invocation-id"] = "a7d0c828-1fc1-43e8-9f9e-367a7011fc84";
+            request.Headers["x-amzn-trace-id"] = "Root=1-63441c4a-abcdef012345678912345678";
+
+            return request;
+        }
+
         internal string GetExpectedCanonicalRequestForHeaderSigningTest(string canonicalizedResourePath)
         {
             return String.Join('\n',
@@ -440,5 +470,97 @@ public void TestChunkedRequestWithTrailingHeaders()
                                                      Encoding.ASCII.GetBytes(trailerChunkResult), SigningTestEccPubX, SigningTestEccPubY));
         }
         #endregion
+
+        #region Multi-Region SigV4a Signing Tests
+
+        /// <summary>
+        /// Tests multi-region SigV4a signing with different region set configurations.
+        ///
+        /// The CRT library handles the x-amz-region-set header internally during the signing process.
+        /// This test verifies that different region configurations produce different signatures
+        /// and that the region set is actually used in the signing calculation.
+        /// </summary>
+        [Fact]
+        public void TestMultiRegionSigV4a_DifferentRegionSetsProduceDifferentSignatures()
+        {
+            var signer = new CrtAWS4aSigner();
+            var clientConfig = BuildSigningClientConfig(SigningTestService);
+
+            // Test with different region configurations
+            var regionSets = new[] { "us-west-2", "us-west-2,us-east-1", "*", "eu-west-1" };
+            var signatures = new Dictionary<string, string>();
+
+            foreach (var regionSet in regionSets)
+            {
+                var request = CreateDefaultRequest("/");
+                request.SigV4aSigningRegionSet = regionSet;
+                // The base endpoint resolver would normally set AuthenticationRegion from SigV4aSigningRegionSet
+                request.AuthenticationRegion = regionSet;
+
+                var result = signer.SignRequest(request, clientConfig, null, SigningTestCredentials);
+
+                // Verify basic result properties
+                Assert.NotNull(result);
+                Assert.NotNull(result.Signature);
+                Assert.NotEmpty(result.Signature);
+                Assert.Equal(regionSet, result.RegionSet);
+
+                // Store signature for comparison
+                signatures[regionSet] = result.Signature;
+            }
+
+            // Verify that different region sets produce different signatures
+            // This ensures the region set is actually being used in the signing calculation
+            Assert.NotEqual(signatures["us-west-2"], signatures["us-west-2,us-east-1"]);
+            Assert.NotEqual(signatures["us-west-2"], signatures["*"]);
+            Assert.NotEqual(signatures["us-west-2"], signatures["eu-west-1"]);
+            Assert.NotEqual(signatures["us-west-2,us-east-1"], signatures["*"]);
+
+            // The x-amz-region-set header is handled internally by CRT for signing.
+            // Different signatures confirm that multi-region information is being used correctly.
+        }
+
+        /// <summary>
+        /// Tests backward compatibility: when SigV4aSigningRegionSet is not set,
+        /// the signer should fall back to single-region behavior.
+        /// </summary>
+        [Fact]
+        public void TestSigV4aFallbackToSingleRegion()
+        {
+            var signer = new CrtAWS4aSigner();
+            var request = CreateDefaultRequest("/");
+            // Explicitly NOT setting request.SigV4aSigningRegionSet
+
+            var clientConfig = BuildSigningClientConfig(SigningTestService);
+            var result = signer.SignRequest(request, clientConfig, null, SigningTestCredentials);
+
+            // Should fall back to us-east-1 (from SigningTestRegion)
+            Assert.Equal(SigningTestRegion, request.DeterminedSigningRegion);
+            Assert.True(request.Headers.ContainsKey(HeaderKeys.XAmzRegionSetHeader));
+            Assert.Equal(SigningTestRegion, request.Headers[HeaderKeys.XAmzRegionSetHeader]);
+
+            var expectedCanonicalRequest = String.Join('\n',
+                "POST", "/", "",
+                "content-length:13",
+                "content-type:application/x-www-form-urlencoded",
+                "host:example.amazonaws.com",
+                "x-amz-content-sha256:9095672bbd1f56dfc5b65f3e153adc8731a4a654192329106275f4c7b24d0b6e",
+                "x-amz-date:20150830T123600Z",
+                $"x-amz-region-set:{SigningTestRegion}",
+                "",
+                "content-length;content-type;host;x-amz-content-sha256;x-amz-date;x-amz-region-set",
+                "9095672bbd1f56dfc5b65f3e153adc8731a4a654192329106275f4c7b24d0b6e");
+
+            var config = BuildDefaultSigningConfig(SigningTestService);
+            config.SignatureType = AwsSignatureType.CANONICAL_REQUEST_VIA_HEADERS;
+            config.Region = SigningTestRegion;
+
+            Assert.True(AwsSigner.VerifyV4aCanonicalSigning(
+                expectedCanonicalRequest, config, result.Signature,
+                SigningTestEccPubX, SigningTestEccPubY),
+                "Fallback signature verification failed");
+        }
+
+        #endregion
     }
 }
diff --git a/generator/.DevConfigs/3aa6313d-9526-40ba-b09c-e046e0d4ef2f.json b/generator/.DevConfigs/3aa6313d-9526-40ba-b09c-e046e0d4ef2f.json
@@ -0,0 +1,16 @@
+{
+  "core": {
+    "changeLogMessages": [
+      "Added ability to configure authentication scheme preferences (e.g., prioritize SigV4a over SigV4)",
+      "Added support for AWS_AUTH_SCHEME_PREFERENCE environment variable and auth_scheme_preference configuration file setting",
+      "Added support for AWS_SIGV4A_SIGNING_REGION_SET environment variable and sigv4a_signing_region_set profile key to configure SigV4a signing region set"
+    ],
+    "type": "minor",
+    "updateMinimum": true,
+    "backwardIncompatibilitiesToIgnore": [
+      "Amazon.Runtime.Internal.IRequest/MethodAbstractMethodAdded",
+      "Amazon.Runtime.IClientConfig/MethodAbstractMethodAdded",
+      "Amazon.Runtime.IRequestContext/MethodAbstractMethodAdded"
+    ]
+  }
+}
diff --git a/sdk/src/Core/Amazon.Runtime/ClientConfig.cs b/sdk/src/Core/Amazon.Runtime/ClientConfig.cs
@@ -66,6 +66,8 @@ public abstract partial class ClientConfig : IClientConfig
         private string serviceURL = null;
         private string authRegion = null;
         private string authServiceName = null;
+        private string authSchemePreference = null;
+        private string sigV4aSigningRegionSet = null;
         private string clientAppId = null;
         private SigningAlgorithm signatureMethod = SigningAlgorithm.HmacSHA256;
         private bool logResponse = false;
@@ -444,6 +446,46 @@ public string AuthenticationServiceName
             get { return this.authServiceName; }
             set { this.authServiceName = value; }
         }
+
+        /// <summary>
+        /// Gets and sets the AuthSchemePreference property.
+        /// A comma-separated list of authentication scheme names to use in order of preference.
+        /// For example: "sigv4a,sigv4" to prefer SigV4a over SigV4.
+        /// </summary>
+        public string AuthSchemePreference
+        {
+            get 
+            { 
+                if (!string.IsNullOrEmpty(this.authSchemePreference))
+                    return this.authSchemePreference;
+
+                // Fallback to environment variable or config file:
+                // 1. Environment variable: AWS_AUTH_SCHEME_PREFERENCE
+                // 2. Config file: auth_scheme_preference
+                return FallbackInternalConfigurationFactory.AuthSchemePreference;
+            }
+            set { this.authSchemePreference = value; }
+        }
+
+        /// <summary>
+        /// Gets and sets the SigV4aSigningRegionSet property.
+        /// A comma-separated list of regions that a SigV4a signature will be valid for.
+        /// Use "*" to indicate all regions.
+        /// </summary>
+        public string SigV4aSigningRegionSet
+        {
+            get 
+            { 
+                if (!string.IsNullOrEmpty(this.sigV4aSigningRegionSet))
+                    return this.sigV4aSigningRegionSet;
+
+                // Fallback to environment variable or config file:
+                // 1. Environment variable: AWS_SIGV4A_SIGNING_REGION_SET
+                // 2. Config file: sigv4a_signing_region_set
+                return FallbackInternalConfigurationFactory.SigV4aSigningRegionSet;
+            }
+            set { this.sigV4aSigningRegionSet = value; }
+        }
 
         /// <summary>
         /// The serviceId for the service, which is specified in the metadata in the ServiceModel.

diff --git a/sdk/src/Core/Amazon.Runtime/CredentialManagement/CredentialProfile.cs b/sdk/src/Core/Amazon.Runtime/CredentialManagement/CredentialProfile.cs
@@ -192,6 +192,18 @@ internal Dictionary<string, Dictionary<string, string>> NestedProperties
         /// </summary>
         public AccountIdEndpointMode? AccountIdEndpointMode { get; set; }
 
+        /// <summary>
+        /// Preference list of authentication schemes to use when multiple schemes are available.
+        /// This is a comma-separated list of auth scheme names like "sigv4,sigv4a,bearer".
+        /// </summary>
+        public string AuthSchemePreference { get; set; }
+
+        /// <summary>
+        /// The region set to use for SigV4a signing. This can be a single region,
+        /// a comma-separated list of regions, or "*" for all regions.
+        /// </summary>
+        public string SigV4aSigningRegionSet { get; set; }
+
         /// <summary>
         /// An optional dictionary of name-value pairs stored with the CredentialProfile
         /// </summary>

diff --git a/sdk/src/Core/Amazon.Runtime/CredentialManagement/SharedCredentialsFile.cs b/sdk/src/Core/Amazon.Runtime/CredentialManagement/SharedCredentialsFile.cs
@@ -71,6 +71,8 @@ public class SharedCredentialsFile : ICredentialProfileStore
         private const string AccountIdEndpointModeField = "account_id_endpoint_mode";
         private const string RequestChecksumCalculationField = "request_checksum_calculation";
         private const string ResponseChecksumValidationField = "response_checksum_validation";
+        private const string AuthSchemePreferenceField = "auth_scheme_preference";
+        private const string SigV4aSigningRegionSetField = "sigv4a_signing_region_set";
         private const string AwsAccountIdField = "aws_account_id";
         private readonly Logger _logger = Logger.GetLogger(typeof(SharedCredentialsFile));
 
@@ -106,6 +108,8 @@ public class SharedCredentialsFile : ICredentialProfileStore
             AccountIdEndpointModeField,
             RequestChecksumCalculationField,
             ResponseChecksumValidationField,
+            AuthSchemePreferenceField,
+            SigV4aSigningRegionSetField,
             AwsAccountIdField,
         };
 
@@ -859,6 +863,19 @@ private bool TryGetProfile(string profileName, bool doRefresh, bool isSsoSession
                     }
                     responseChecksumValidation = responseChecksumValidationTemp;
                 }
+
+                string authSchemePreference = null;
+                if (reservedProperties.TryGetValue(AuthSchemePreferenceField, out var authSchemePrefString))
+                {
+                    authSchemePreference = authSchemePrefString;
+                }
+
+                string sigV4aSigningRegionSet = null;
+                if (reservedProperties.TryGetValue(SigV4aSigningRegionSetField, out var sigV4aRegionSetString))
+                {
+                    sigV4aSigningRegionSet = sigV4aRegionSetString;
+                }
+
                     profile = new CredentialProfile(profileName, profileOptions)
                 {
                     UniqueKey = toolkitArtifactGuid,
@@ -886,6 +903,8 @@ private bool TryGetProfile(string profileName, bool doRefresh, bool isSsoSession
                     AccountIdEndpointMode = accountIdEndpointMode,
                     RequestChecksumCalculation = requestChecksumCalculation,
                     ResponseChecksumValidation = responseChecksumValidation,
+                    AuthSchemePreference = authSchemePreference,
+                    SigV4aSigningRegionSet = sigV4aSigningRegionSet,
                     Services = servicesSection
                     };
 

diff --git a/sdk/src/Core/Amazon.Runtime/IClientConfig.cs b/sdk/src/Core/Amazon.Runtime/IClientConfig.cs
@@ -163,6 +163,20 @@ public partial interface IClientConfig
         /// </summary>
         string AuthenticationServiceName { get; }
 
+        /// <summary>
+        /// Gets the AuthSchemePreference property.
+        /// A comma-separated list of authentication scheme names to use in order of preference.
+        /// For example: "sigv4a,sigv4" to prefer SigV4a over SigV4.
+        /// </summary>
+        string AuthSchemePreference { get; }
+
+        /// <summary>
+        /// Gets the SigV4aSigningRegionSet property.
+        /// A comma-separated list of regions that a SigV4a signature will be valid for.
+        /// Use "*" to indicate all regions.
+        /// </summary>
+        string SigV4aSigningRegionSet { get; }
+
         /// <summary>
         /// Gets the UserAgent property.
         /// </summary>

diff --git a/sdk/src/Core/Amazon.Runtime/Internal/DefaultRequest.cs b/sdk/src/Core/Amazon.Runtime/Internal/DefaultRequest.cs
@@ -475,6 +475,13 @@ public string CanonicalResourcePrefix
         /// </summary>
         public string AuthenticationRegion { get; set; }
 
+        /// <summary>
+        /// The signing region set to use for SigV4a requests.
+        /// Contains a comma-separated list of regions for multi-region signing.
+        /// Set from Config.SigV4aSigningRegionSet or endpoints metadata.
+        /// </summary>
+        public string SigV4aSigningRegionSet { get; set; }
+
         /// <summary>
         /// The region in which the service request was signed.
         /// </summary>

diff --git a/sdk/src/Core/Amazon.Runtime/Internal/IRequest.cs b/sdk/src/Core/Amazon.Runtime/Internal/IRequest.cs
@@ -338,7 +338,17 @@ string CanonicalResourcePrefix
         string AuthenticationRegion { get; set; }
 
         /// <summary>
-        /// The region in which the service request was signed.
+        /// The signing region set to use for SigV4a requests.
+        /// Contains a comma-separated list of regions for multi-region signing.
+        /// Set from Config.SigV4aSigningRegionSet or endpoints metadata.
+        /// </summary>
+        string SigV4aSigningRegionSet { get; set; }
+
+        /// <summary>
+        /// The region or region set used for signing the service request.
+        /// For standard SigV4 signing, this contains a single region (e.g., "us-west-2").
+        /// For SigV4a multi-region signing, this can be a comma-separated list of regions (e.g., "us-west-2,us-east-1")
+        /// or "*" to indicate the signature is valid for all regions.
         /// </summary>
         string DeterminedSigningRegion { get; set; }