Authenticating Requests: Using the Authorization Header (AWS Signature Version 4)
Using the HTTP
Authorization header is the most common method of
providing authentication information. Except for POST
requests and requests that are signed by using query parameters, all Amazon S3
bucket operations and object operations use the
header to provide authentication information.
The following is an example of the
Authorization header value. Line
breaks are added to this example for readability:
Authorization: AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request, SignedHeaders=host;range;x-amz-date, Signature=fe5f80f77d5fa3beca038a248ff027d0445342fe2855ddc963176630326f1024
The following is the properly formatted version of the same Authorization header:
Note the following:
There is space between the first two components,
The subsequent components,
Signatureare separated by a comma.
The following table describes the various components of the
Authorization header value in
the preceding example:
The algorithm that was used to calculate the signature. You must provide this value when you use AWS Signature Version 4 for authentication.
The string specifies AWS Signature Version 4 (
Your access key ID and the scope information, which includes the date, region, and service that were used to calculate the signature.
This string has the following form:
A semicolon-separated list of request headers that you
used to compute
|The 256-bit signature expressed as 64 lowercase hexadecimal characters. For example:
Note that the signature calculations vary depending on the option you choose to transfer the payload.
The signature calculations vary depending on the method you choose to transfer the request payload. S3 supports the following options:
Transfer payload in a single chunk – In this case, you have the following signature calculation options:
Signed payload option – You can optionally compute the entire payload checksum and include it in signature calculation. This provides added security but you need to read your payload twice or buffer it in memory.
For example, in order to upload a file, you need to read the file first to compute a payload hash for signature calculation and again for transmission when you create the request. For smaller payloads, this approach might be preferable. However, for large files, reading the file twice can be inefficient, so you might want to upload data in chunks instead.
We recommend you include payload checksum for added security.
Unsigned payload option – Do not include payload checksum in signature calculation.
For step-by-step instructions to calculate signature and construct the Authorization header value, see Signature Calculations for the Authorization Header: Transferring Payload in a Single Chunk (AWS Signature Version 4).
Transfer payload in multiple chunks (chunked upload) – In this case you transfer payload in chunks. You can transfer a payload in chunks regardless of the payload size.
You can break up your payload into chunks. These can be fixed or variable-size chunks. By uploading data in chunks, you avoid reading the entire payload to calculate the signature. Instead, for the first chunk, you calculate a seed signature that uses only the request headers. The second chunk contains the signature for the first chunk, and each subsequent chunk contains the signature for the chunk that precedes it. At the end of the upload, you send a final chunk with 0 bytes of data that contains the signature of the last chunk of the payload. For more information, see Signature Calculations for the Authorization Header: Transferring Payload in Multiple Chunks (Chunked Upload) (AWS Signature Version 4).
When you send a request, you must tell Amazon S3 which of the preceding options you have
chosen in your signature calculation, by adding the
x-amz-content-sha256 header with one of the following
If you choose chunked upload options, set the header value to
If you choose to upload payload in a single chunk, set the header value to the payload checksum (signed payload option), or set the value to the literal string
UNSIGNED-PAYLOAD(unsigned payload option).
Upon receiving the request, Amazon S3 re-creates the string to sign using information in the
Authorization header and the
date header. It then
verifies with authentication service the signatures match. The request date can be
specified by using either the HTTP
Date or the
header. If both headers are present,
x-amz-date takes precedence.
If the signatures match, Amazon S3 processes your request; otherwise, your request will fail.
For more information, see the following topics: