AWS Import/Export
Developer Guide (API Version 2010-06-03)
AWS Documentation » AWS Import Export » Developer Guide » API Reference » Making Query Requests » Query Authentication
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Query Authentication

You can send requests over HTTPS. When you do, you must include a signature in every request. This section describes how to create the signature. The method described in the following procedure is known as signature version 2.

Caution

If you are currently using signature version 1: Version 1 is deprecated, and you should move to signature version 2 immediately. For information about the deprecation schedule and the differences between signature version 2 and version 1, go to Making Secure Requests to Amazon Web Services.

To create the signature

  1. Create the canonicalized query string that you need later in this procedure:

    1. Sort the UTF-8 query string components by parameter name with natural byte ordering.

      The parameters can come from the GET URI or from the POST body (when Content-Type is application/x-www-form-urlencoded).

    2. URL encode the parameter name and values according to the following rules:

      • Do not URL encode any of the unreserved characters that RFC 3986 defines.

        These unreserved characters are A-Z, a-z, 0-9, hyphen ( - ), underscore ( _ ), period ( . ), and tilde ( ~ ).

      • Percent encode all other characters with %XY, where X and Y are hex characters 0-9 and uppercase A-F.

      • Percent encode extended UTF-8 characters in the form %XY%ZA....

      • Percent encode the space character as %20 (and not +, as common encoding schemes do).

      Note

      Currently all AWS service parameter names use unreserved characters, so you don't need to encode them. However, you might want to include code to handle parameter names that use reserved characters, for possible future use.

    3. Separate the encoded parameter names from their encoded values with the equals sign ( = ) (ASCII character 61), even if the parameter value is empty.

    4. Separate the name-value pairs with an ampersand ( & ) (ASCII character 38).

  2. Create the string to sign according to the following pseudo-grammar (the "\n" represents an ASCII newline character).

    StringToSign = HTTPVerb + "\n" +
               ValueOfHostHeaderInLowercase + "\n" +
               HTTPRequestURI + "\n" +         
               CanonicalizedQueryString <from the preceding step>

    The HTTPRequestURI component is the HTTP absolute path component of the URI up to, but not including, the query string. If the HTTPRequestURI is empty, use a forward slash ( / ).

  3. Calculate an RFC 2104-compliant HMAC with the string you just created, your Secret Access Key as the key, and SHA256 or SHA1 as the hash algorithm.

    For more information, go to http://www.ietf.org/rfc/rfc2104.txt.

  4. Convert the resulting value to base64.

  5. Use the resulting value as the value of the Signature request parameter.

Important

The final signature you send in the request must be URL encoded as specified in RFC 3986 (for more information, go to http://www.ietf.org/rfc/rfc3986.txt). If your toolkit URL encodes your final request, then it handles the required URL encoding of the signature. If your toolkit doesn't URL encode the final request, then make sure to URL encode the signature before you include it in the request. Most importantly, make sure the signature is URL encoded only once. A common mistake is to URL encode it manually during signature formation, and then again when the toolkit URL encodes the entire request.

Sample GetStatus Request

The following request gets the current status of an import job (modified to make the Signature and accessKeyId inside the request invalid).

POST / HTTP/1.1
content-type:application/x-www-form-urlencoded;charset=utf-8
host: https://importexport.amazonaws.com
content-length:639

Action=GetStatus&SignatureMethod=HmacSHA256&JobId=JOBID&AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE&SignatureVersion=2&Version=2010-06-01&Signature=%2FVfkltRBOoSUi1sWxRzN8rw%3D&Timestamp=2011-06-20T22%3A30%3A59.556Z

The following is the string to sign.

The body of the request is all on one line. However, line feeds have been added to make the examples easier to read.

POST\n
importexport.amazonaws.com\n
/\n
AWSAccessKeyId=Your AWS Access Key ID
&Action=GetStatus
&JobId=JOBID
&SignatureMethod=HmacSHA256
&SignatureVersion=2
Version=2010-06-01&

The following is the signed request.

POST\n
importexport.amazonaws.com\n
/\n
AWSAccessKeyId=Your AWS Access Key ID
&Action=GetStatus
&JobId=JOBID
&SignatureMethod=HmacSHA256
&SignatureVersion=2
&Version=2010-06-01
&Signature=%2FVfkltRBOoSUi1sWxRzN8rw%3D
&Timestamp=2011-06-20T22%3A30%3A59.556Z
Document Conventions« PreviousNext »
Terms of UseDid this page help you?  Yes | No |  Tell us about it...