ENG-3965: Add aws_iam authentication strategy for SaaS connectors

[jjdaurora]

Ticket ENG-3965

Description Of Changes

Adds a reusable aws_iam authentication strategy so any SaaS connector can sign outbound HTTP requests with AWS Signature V4. This standardizes IAM-based authentication across connectors rather than each integration reimplementing signing logic.

Designed primarily for AWS API Gateway endpoints protected by IAM authorization, but the service field is configurable so it can be used with other AWS services.

Code Changes

• authentication_strategy_aws_iam.py — new AWSIAMAuthenticationStrategy class that:
  • Signs requests via botocore.auth.SigV4Auth
  • Supports static credentials (aws_access_key_id / aws_secret_access_key / optional aws_session_token) and STS AssumeRole (aws_assume_role_arn)
  • Caches assumed-role temporary credentials in connection_config.secrets and refreshes them 5 minutes before expiry
  • Infers the AWS region from strategy config → connector secrets → API Gateway hostname → defaults to us-east-1
• strategy_configuration.py — AWSIAMAuthenticationConfiguration schema with region and service fields
• authentication_strategy_factory.py — registers aws_iam in SupportedAuthenticationStrategies
• authentication/__init__.py — imports new module so it is picked up at startup
• tests/ops/service/authentication/test_authentication_strategy_aws_iam.py — unit tests covering both auth modes, region resolution, credential caching, and error handling

Steps to Confirm

1. Create a SaaS connector config with authentication: {strategy: aws_iam} and static AWS credentials; confirm outbound requests include Authorization, X-Amz-Date, and X-Amz-Security-Token headers signed with SigV4
2. Configure aws_assume_role_arn instead of static keys; confirm Fides calls STS AssumeRole and caches the temporary credentials in the connector secrets
3. Confirm cached credentials are reused on subsequent requests and refreshed when within 5 minutes of expiry
4. Run pytest tests/ops/service/authentication/test_authentication_strategy_aws_iam.py -v

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
  • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • All UX related changes have been reviewed by a designer
  • No UX review needed
• Followup issues:
  • Followup issues created
  • No followup issues
• Database migrations:
  • Ensure that your downrev is up to date with the latest revision on main
  • Ensure that your downgrade() migration is correct and works
    • If a downgrade migration is not possible for this change, please call this out in the PR description!
  • No migrations
• Documentation:
  • Documentation complete, PR opened in fidesdocs
  • Documentation issue created in fidesdocs
  • If there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
  • No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ignored		May 22, 2026 6:25pm
fides-privacy-center	Ignored		May 22, 2026 6:25pm

[codecov]

Codecov Report

❌ Patch coverage is 28.92562% with 86 lines in your changes missing coverage. Please review.
✅ Project coverage is 84.94%. Comparing base (ce5eedc) to head (8ee4cf5).
⚠️ Report is 79 commits behind head on main.

Files with missing lines	Patch %	Lines
.../authentication/authentication_strategy_aws_iam.py	25.86%	86 Missing ⚠️

❌ Your project check has failed because the head coverage (84.94%) is below the target coverage (85.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8272      +/-   ##
==========================================
- Coverage   85.50%   84.94%   -0.57%     
==========================================
  Files         653      671      +18     
  Lines       42513    43713    +1200     
  Branches     4991     5135     +144     
==========================================
+ Hits        36351    37130     +779     
- Misses       5055     5479     +424     
+ Partials     1107     1104       -3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.