| « PreviousNext » | |
   | Did this page help you? Yes | No | Tell us about it... |
Calculating the HMAC-SHA Signature for Amazon SWF
Required Authentication Information
Every request to Amazon Simple Workflow Service (Amazon SWF) must be authenticated. The AWS SDKs automatically sign your requests
and manage your token-based authentication as required for Amazon SWF. However, if you want to
write your own HTTP POST requests, you need to create an
x-amzn-authorization value for the HTTP POST Header content
as part of authenticating your request. For more information about formatting headers,
see HTTP Header Contents.
Signature Process
Following is the series of tasks required to create an HMAC-SHA (Hash-based Message Authentication Code-Secure Hash Algorithm) request signature. It is assumed you have already have received your AWS credentials, that is, your Access Key ID and Secret Key.
Note
You can use either a SHA1 or SHA256 method for signing. Use the same one throughout the
signing process, and it must match the value for the
Algorithm name provided in the HTTP header.
You perform the following tasks to sign and submit a request to Amazon SWF.
Signing Process
Create a canonical form of the HTTP request headers. The canonical form of the HTTP header includes the following.
hostAny header element starting with
x-amz-
For more information about the included headers, see HTTP Header Contents.
For each header name-value pair, convert the header name to lowercase (not the header value).
Build a map of header name to comma separated header values as prescribed by RFC 2616, section 4.2.
x-amz-example: value1 x-amz-example: value2 => x-amz-example:value1,value2
For each header name-value pair, convert the name-value pair into a string in the format
headerName:headerValue. Trim any whitespace from the beginning and end of bothheaderNameandheaderValue, with no space on each side of the colon.x-amz-example1:value1,value2 x-amz-example2:value3
Insert a new line (U+000A) after each converted string, including the last string.
Sort the collection of converted strings by header name, alphabetically.
Create a
string-to-signvalue that includes the following.Line 1: The HTTP method (
POST), followed by a newline.Line 2: The request URI (
/), followed by a newline.Line 3: An empty string. Typically, a query string goes here, but Amazon SWF doesn't use a query string. Follow with a newline
Line 4–n: The string representing that canonicalized request headers you computed in step 1, followed by a newline. This newline will create a blank line between the headers and the body of the HTTP request per RFC 2616.
The request body. Do not follow the request body with a newline.
Compute the SHA256 or SHA1 digest of the
string-to-signvalue. Use the same SHA method throughout the process.Compute and Base64 encode the HMAC-SHA using either a SHA256 or a SHA1 digest (depending on which one you've chosen to use) of the resulting value from the previous step using the temporary secret access key you received from the AWS Security Token Service using the GetSessionToken API. For more information about using temporary security credentials with Amazon SWF and other Amazon Web Services, go to the Identity and Access Management documentation.
Note
Amazon SWF expects an equal sign (=) at the end of the Base64 encoded HMAC-SHA value. If your Base64 encoding routine doesn't include appending an equal sign, append one to the end.
Put the resulting value as the value for the
Signaturename in thex-amzn-authorizationheader of the HTTP request to Amazon SWF.Amazon SWF verifies the request and performs the specified operation.
For the AWS SDK for Java implementation of AWS version 3 signing, see the AWSSigner.java class.
