| « PreviousNext » | |
| Did this page help you? Yes | No | Tell us about it... |
Signature Version 4 Signing Process
The Signature Version 4 signing specification describes how to construct signed requests to AWS. Whenever you send a request to AWS, you must include authorization information with your request so that AWS can verify the authenticity of the request. AWS uses the authorization information from your request to recreate your signature, and then compares that signature with the one that you sent. These two signatures must match for you to successfully access AWS.
Important
Check whether the AWS SDK that you use supports Signature Version 4. If so, the SDK handles the signature calculation process for you so that you do not have to manually complete the signing process. For more information about how to download and use the AWS SDKs, go to Sample Code & Libraries.
To get started with the signing process, see Signing AWS Requests By Using Signature Version 4
To see sample signed requests, see Signed Signature Version 4 Requests Examples
If you have questions about Signature Version 4 that are not answered in this guide, please go to the Signature Version 4 Inquiries page.
Supported Services
The following services support Signature Version 4:
Changes in Signature Version 4
Signature Version 4 is the latest AWS signing specification. Changes from the previous signing specifications are described in the following list:
You sign your message using a key that is derived from your secret access key rather than using the secret access key itself. For more information about deriving keys, see Task 3: Calculate the AWS Signature Version 4.
You derive your signing key based on credential scope, which is a concept that facilitates cryptographic isolation of the signing key. Credential scope is represented by a slash-separated string of dimensions in the following order:
Date information as an eight-digit string representing the year (YYYY), month (MM), and day (DD) of the request (e.g.,
20120228). For more information about handling dates, see Handling Dates in Signature Version 4.Region information as a lowercase alphanumeric string. Use the region name that is part of the service's endpoint. For services that use a globally unique endpoint, such as IAM, use
us-east-1.Service name information as a lowercase alphanumeric string (for example,
iam). Use the service name that is part of the service's endpoint. For example, the IAM endpoint is https://iam.amazonaws.com, so you use the stringiamas part of the Credential parameter.A special termination string
aws4_request
You use the credential scope in each signing task:
You must include the credential scope as part of the Credential parameter in your authorization header/parameters when you create the canonical request in Task 1: Create a Canonical Request For Signature Version 4.
You must also include the credential scope as part of your string to sign in Task 2: Create a String to Sign for Signature Version 4.
Finally, you use the date, region, and service name components of the credential scope to derive your signing key in Task 3: Calculate the AWS Signature Version 4.
Components of an AWS Signature 4 Request
Each HTTP/HTTPS request that uses Signature Version 4 must contain the following components:
Host—Also known as the endpoint. This is the DNS name of the computer to which you send the request. For a complete list of endpoints supported by AWS, see Regions and Endpoints.
The endpoint usually contains the service name and region, both of which you must use as part of the Credential parameter. For example, the Amazon Simple Queue Service (Amazon SQS) endpoint for the US East (Northern Virginia) Region is
sqs.us-east-1.amazonaws.com, wheresqsrepresents the service name andus-east-1represents the region. If the region name is not specified, a web service uses the default region,us-east-1. If you use IAM, which uses a globally unique endpoint,iam.amazonaws.com, use the default region,us-east-1, as part of the Credential parameter.Action—Specifies the action that you want a web service to perform. This value determines the parameters that are used in the request. For query APIs, the action is an API name. For non-query APIs, refer to the service documentation for the correct actions.
Required and optional parameters—Each action in a web service has a set of required and optional parameters that define the API call.
Date—This is the date and time at which you make the request. Including this in the request helps prevent third parties from intercepting your request and re-submitting to a web service. The Date is specified using the ISO8601 Basic format via the
x-amz-dateheader in theYYYYMMDD'T'HHMMSS'Z'format.Authorization parameters—Each request that you send must have a set of authorization parameters that AWS uses to ensure the validity and authenticity of the request. The following list describes the required authorization parameters:
- Algorithm
The method used to sign the request. For signature version 4, use the value
AWS4-HMAC-SHA256.- Credential
A slash('/')-separated string that is formed by concatenating your Access Key ID and your credential scope components. Credential scope comprises the date (YYYYMMDD), the AWS region, the service name, and a special termination string (
aws4_request). For example, the following string represents the Credential parameter for an IAM request in the US East Region.AKIAIOSFODNN7EXAMPLE/20111015/us-east-1/iam/aws4_requestImportant
You must use lowercase characters for the region, service name, and special termination string.
- SignedHeaders
A semicolon(';')-delimited list of HTTP headers to include in the signature.
- Signature
A hexadecimal-encoded string that represents the output of the signature operation described in Task 3: Calculate the AWS Signature Version 4. You must use the algorithm that you specify with the algorithm parameter to calculate the signature.
To view sample signed requests, see Signed Signature Version 4 Requests Examples.
