Pure AWS infrastructure for credentials, regions, endpoints, structured errors, HTTP metadata, body metadata, request signing, and runtime adapters.
The core Awskit library has no IO dependencies. Concurrency, networking, filesystem access, clocks, and environment variables live in adapter libraries that you choose at the application edge.
Service packages such as awskit-s3 build on the runtime abstraction defined here instead of depending directly on Eio, Lwt, or Unix.
The entrypoint is Awskit.
Core modules:
Awskit.Credentials — opaque AWS access keys and session tokensAwskit.Region — AWS region names with result/exn constructorsAwskit.Endpoint — scheme, host, port, authority, and URL helpersAwskit.Body — runtime-neutral upload and payload-hash metadataAwskit.Request — body-free HTTP request metadataAwskit.Response — body-free HTTP response metadata and header helpersAwskit.Error — structured errors and retry classificationAwskit.Retry — shared retry policy used by service packagesAwskit.Signing — pure AWS Signature Version 4 signingAwskit.Runtime.S — runtime abstraction used by service packagesAwskit_eio is the direct-style Eio runtime adapter. Its monad type is type 'a t = 'a. Response bodies are scoped to with_response and Runtime.Response_body.with_reader.
Awskit_lwt is a generic Lwt runtime functor over Cohttp_lwt.S.Client. Use it for custom Lwt HTTP backends.
Awskit_lwt_unix is the ready-to-use Lwt + Unix runtime adapter. It can load credentials from standard AWS environment variables, shared AWS profile files, ECS/container metadata, or EC2 instance metadata, and region from standard AWS environment variables when arguments are omitted.
Awskit_unix contains Unix-specific credential and region sources. It does not perform HTTP calls.
let credentials =
Awskit.Credentials.create_exn
~access_key_id:"AKIAIOSFODNN7EXAMPLE"
~secret_access_key:"wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
()
in
let region = Awskit.Region.of_string_exn "us-east-1" in
let payload_hash = Awskit.Body.Payload_hash.sha256_of_string "" in
Awskit.Signing.sign_request
~credentials
~region
~service:"s3"
~method_:`GET
~path:"/my-key"
~query:""
~headers:[ ("host", "my-bucket.s3.us-east-1.amazonaws.com") ]
~payload_hash
~now:Ptime.epochSigning is pure and testable without network access. Service packages sign requests automatically; use Awskit.Signing directly for custom AWS services or low-level tests.
Eio.Switch.run @@ fun sw ->
let region = Awskit.Region.of_string_exn "us-east-1" in
let conn =
Awskit_eio.create
~env
~sw
~region
~credentials
()
in
ignore connlet conn =
Awskit_lwt_unix.create ()
|> Result.get_ok
in
ignore connWhen omitted, awskit-lwt-unix reads:
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN
AWS_REGION
AWS_DEFAULT_REGIONawskit-s3 — AWS S3 object-storage client, presigning, and runtime-backed operationsawskit-s3-sim — in-memory S3 implementation for tests