I never really paid attention to how AWS4 authorization signatures worked before, but realising they’re basically a limited subset of Macaroons is very neat.

@erincandescent yeah

I think the “preferred” method is to have single-region accounts or have an IAM policy that only grants access to a given region (ideally using a workload identity to avoid long-lived static credentials), but it’d be nice to lock things down at a higher level without needing to rely on SCPs