Menu
Amazon Simple Storage Service
API Reference (API Version 2006-03-01)

Authenticating Requests: Using the Authorization Header (AWS Signature Version 4)

Overview

Using the HTTP Authorization header is the most common method of providing authentication information. Except for POST requests and requests that are signed by using query parameters, all Amazon S3 bucket operations and object operations use the Authorization request header to provide authentication information.

The following is an example of the Authorization header value. Line breaks are added to this example for readability:

Authorization: AWS4-HMAC-SHA256 
Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request, 
SignedHeaders=host;range;x-amz-date,
Signature=fe5f80f77d5fa3beca038a248ff027d0445342fe2855ddc963176630326f1024

The following is the properly formatted version of the same Authorization header:

Note the following:

  • There is space between the first two components, AWS4-HMAC-SHA256 and Credential

  • The subsequent components, Credential, SignedHeaders, and Signature are separated by a comma.

The following table describes the various components of the Authorization header value in the preceding example:

ComponentDescription
AWS4-HMAC-SHA256

The algorithm that was used to calculate the signature. You must provide this value when you use AWS Signature Version 4 for authentication.

The string specifies AWS Signature Version 4 (AWS4) and the signing algorithm (HMAC-SHA256).

Credential

Your access key ID and the scope information, which includes the date, region, and service that were used to calculate the signature.

This string has the following form:

<your-access-key-id>/<date>/<aws-region>/<aws-service>/aws4_request

Where:

  • <date> value is specified using YYYYMMDD format.

  • <aws-service> value is s3 when sending request to Amazon S3.

SignedHeaders

A semicolon-separated list of request headers that you used to compute Signature. The list includes header names only, and the header names must be in lowercase. For example:

host;range;x-amz-date
SignatureThe 256-bit signature expressed as 64 lowercase hexadecimal characters. For example:
fe5f80f77d5fa3beca038a248ff027d0445342fe2855ddc963176630326f1024
Note that the signature calculations vary depending on the option you choose to transfer the payload.

The signature calculations vary depending on the method you choose to transfer the request payload. S3 supports the following options:

  • Transfer payload in a single chunk – In this case, you have the following signature calculation options:

    • Signed payload option – You can optionally compute the entire payload checksum and include it in signature calculation. This provides added security but you need to read your payload twice or buffer it in memory.

      For example, in order to upload a file, you need to read the file first to compute a payload hash for signature calculation and again for transmission when you create the request. For smaller payloads, this approach might be preferable. However, for large files, reading the file twice can be inefficient, so you might want to upload data in chunks instead.

      We recommend you include payload checksum for added security.

    • Unsigned payload option – Do not include payload checksum in signature calculation.

    For step-by-step instructions to calculate signature and construct the Authorization header value, see Signature Calculations for the Authorization Header: Transferring Payload in a Single Chunk (AWS Signature Version 4).

  • Transfer payload in multiple chunks (chunked upload) – In this case you transfer payload in chunks. You can transfer a payload in chunks regardless of the payload size.

    You can break up your payload into chunks. These can be fixed or variable-size chunks. By uploading data in chunks, you avoid reading the entire payload to calculate the signature. Instead, for the first chunk, you calculate a seed signature that uses only the request headers. The second chunk contains the signature for the first chunk, and each subsequent chunk contains the signature for the chunk that precedes it. At the end of the upload, you send a final chunk with 0 bytes of data that contains the signature of the last chunk of the payload. For more information, see Signature Calculations for the Authorization Header: Transferring Payload in Multiple Chunks (Chunked Upload) (AWS Signature Version 4).

When you send a request, you must tell Amazon S3 which of the preceding options you have chosen in your signature calculation, by adding the x-amz-content-sha256 header with one of the following values:

  • If you choose chunked upload options, set the header value to STREAMING-AWS4-HMAC-SHA256-PAYLOAD.

  • If you choose to upload payload in a single chunk, set the header value to the payload checksum (signed payload option), or set the value to the literal string UNSIGNED-PAYLOAD (unsigned payload option).

Upon receiving the request, Amazon S3 re-creates the string to sign using information in the Authorization header and the date header. It then verifies with authentication service the signatures match. The request date can be specified by using either the HTTP Date or the x-amz-date header. If both headers are present, x-amz-date takes precedence.

If the signatures match, Amazon S3 processes your request; otherwise, your request will fail.

For more information, see the following topics:

Signature Calculations for the Authorization Header: Transferring Payload in a Single Chunk (AWS Signature Version 4)

Signature Calculations for the Authorization Header: Transferring Payload in Multiple Chunks (Chunked Upload) (AWS Signature Version 4)