Amazon Web Services General Reference
  (Version 1.0)
« PreviousNext »
Did this page help you?  Yes | No |  Tell us about it...

Signature Version 4 Signing Process

The Signature Version 4 signing specification describes how to construct signed requests to AWS. Whenever you send a request to AWS, you must include authorization information with your request so that AWS can verify the authenticity of the request. AWS uses the authorization information from your request to recreate your signature, and then compares that signature with the one that you sent. These two signatures must match for you to successfully access AWS.

Important

Check whether the AWS SDK that you use supports Signature Version 4. If so, the SDK handles the signature calculation process for you so that you do not have to manually complete the signing process. For more information about how to download and use the AWS SDKs, go to Sample Code & Libraries.

To get started with the signing process, see Signing AWS Requests By Using Signature Version 4.

To see sample signed requests, see Signed Signature Version 4 Requests Examples.

If you have questions about Signature Version 4 that are not answered in this guide, please post your question in the AWS Identity and Access Management discussion forum.

Changes in Signature Version 4

Signature Version 4 is the latest AWS signing specification. Changes from the previous signing specifications are described in the following list:

  • You sign your message using a key that is derived from your secret access key rather than using the secret access key itself. For more information about deriving keys, see Task 3: Calculate the AWS Signature Version 4.

  • You derive your signing key based on credential scope, which is a concept that facilitates cryptographic isolation of the signing key. Credential scope is represented by a slash-separated string of dimensions in the following order:

    1. Date information as an eight-digit string representing the year (YYYY), month (MM), and day (DD) of the request (e.g., 20120228). For more information about handling dates, see Handling Dates in Signature Version 4.

    2. Region information as a lowercase alphanumeric string. Use the region name that is part of the service's endpoint. For services that use a globally unique endpoint, such as IAM, use us-east-1.

    3. Service name information as a lowercase alphanumeric string (for example, iam). Use the service name that is part of the service's endpoint. For example, the IAM endpoint is https://iam.amazonaws.com, so you use the string iam as part of the Credential parameter.

    4. A special termination string aws4_request

  • You use the credential scope in each signing task:

Components of an AWS Signature 4 Request

Each HTTP/HTTPS request that uses version 4 signing must contain the following components:

  • Host—Also known as the endpoint. This is the DNS name of the computer to which you send the request. For a complete list of endpoints supported by AWS, see Regions and Endpoints.

    The endpoint usually contains the service name and region, both of which you must use as part of the Credential parameter. For example, the Amazon Simple Queue Service (Amazon SQS) endpoint for the us-east-1 region is sqs.us-east-1.amazonaws.com, where sqs represents the service name and us-east-1 represents the region. If the region name is not specified, a web service uses the default region, us-east-1. If you use IAM, which uses a globally unique endpoint, use the default region (us-east-1), as part of the Credential parameter.

  • Action—Specifies the action that you want a web service to perform. This value determines the parameters that are used in the request. For query APIs, the action is an API name. For non-query APIs, refer to the service documentation for the correct actions.

  • Required and optional parameters—Each action in a web service has a set of required and optional parameters that define the API call.

  • Date—This is the date and time at which you make the request. Including this in the request helps prevent third parties from intercepting your request and resubmitting to a web service. The date is specified using the ISO8601 Basic format via the x-amz-date header in the YYYYMMDD'T'HHMMSS'Z' format.

  • Authorization parameters—Each request that you send must include the following set of authorization parameters that AWS uses to ensure the validity and authenticity of the request.

    • Algorithm. The hash algorithm that you're using as part of the signing process. For example, if you use SHA-256 to create hashes, use the value AWS4-HMAC-SHA256.

    • Credential. A string separated by slashes ("/") that is formed by concatenating your access key ID and your credential scope components. Credential scope includes the date in YYYYMMDD format, the AWS region, the service name, and a special termination string (aws4_request). For example, the following string represents the Credential parameter for an IAM request in the us-east-1 region.

      AKIAIOSFODNN7EXAMPLE/20111015/us-east-1/iam/aws4_request

      Important

      You must use lowercase characters for the region, service name, and special termination string.

    • SignedHeaders A list delimited by semicolons (";") of HTTP headers to include in the signature.

    • Signature A hexadecimal-encoded string that represents the output of the signature operation described in Task 3: Calculate the AWS Signature Version 4. You must calculate the signature using the algorithm that you specified in the Algorithm parameter.

To view sample signed requests, see Signed Signature Version 4 Requests Examples.