|« PreviousNext »|
|Did this page help you? Yes | No | Tell us about it...|
The Signature Version 4 signing specification describes how to construct signed requests to AWS. Whenever you send a request to AWS, you must include authorization information with your request so that AWS can verify the authenticity of the request. AWS uses the authorization information from your request to recreate your signature, and then compares that signature with the one that you sent. These two signatures must match for you to successfully access AWS.
Check whether the AWS SDK that you use supports Signature Version 4. If so, the SDK handles the signature calculation process for you so that you do not have to manually complete the signing process. For more information about how to download and use the AWS SDKs, go to Sample Code & Libraries.
To get started with the signing process, see Signing AWS Requests By Using Signature Version 4
To see sample signed requests, see Signed Signature Version 4 Requests Examples
If you have questions about Signature Version 4 that are not answered in this guide, please go to the Signature Version 4 Inquiries page.
The following services support Signature Version 4:
Signature Version 4 is the latest AWS signing specification. Changes from the previous signing specifications are described in the following list:
You sign your message using a key that is derived from your secret access key rather than using the secret access key itself. For more information about deriving keys, see Task 3: Calculate the AWS Signature Version 4.
You derive your signing key based on credential scope, which is a concept that facilitates cryptographic isolation of the signing key. Credential scope is represented by a slash-separated string of dimensions in the following order:
Date information as an eight-digit string representing the year
(YYYY), month (MM), and day (DD) of the request (e.g.,
20120228). For more information about handling dates,
see Handling Dates in Signature Version 4.
Region information as a lowercase alphanumeric string. Use the region
name that is part of the service's endpoint. For services that use a
globally unique endpoint, such as IAM, use
Service name information as a lowercase alphanumeric string (for
iam). Use the service name that is part of the
service's endpoint. For example, the IAM endpoint is
https://iam.amazonaws.com, so you use the string
part of the Credential parameter.
A special termination string
You use the credential scope in each signing task:
You must include the credential scope as part of the Credential parameter in your authorization header/parameters when you create the canonical request in Task 1: Create a Canonical Request For Signature Version 4.
You must also include the credential scope as part of your string to sign in Task 2: Create a String to Sign for Signature Version 4.
Finally, you use the date, region, and service name components of the credential scope to derive your signing key in Task 3: Calculate the AWS Signature Version 4.
Each HTTP/HTTPS request that uses Signature Version 4 must contain the following components:
Host—Also known as the endpoint. This is the DNS name of the computer to which you send the request. For a complete list of endpoints supported by AWS, see Regions and Endpoints.
The endpoint usually contains the service name and region, both of which
you must use as part of the Credential parameter. For example, the Amazon Simple Queue Service
(Amazon SQS) endpoint for the US East (Northern Virginia) Region is
the service name and
us-east-1 represents the region. If the region
name is not specified, a web service uses the default region,
us-east-1. If you use IAM, which uses a globally unique
iam.amazonaws.com, use the default region,
us-east-1, as part of the Credential parameter.
Action—Specifies the action that you want a web service to perform. This value determines the parameters that are used in the request. For query APIs, the action is an API name. For non-query APIs, refer to the service documentation for the correct actions.
Required and optional parameters—Each action in a web service has a set of required and optional parameters that define the API call.
Date—This is the date and time at which
you make the request. Including this in the request helps prevent third parties
from intercepting your request and re-submitting to a web service. The Date is
specified using the ISO8601 Basic format via the
Authorization parameters—Each request that you send must have a set of authorization parameters that AWS uses to ensure the validity and authenticity of the request. The following list describes the required authorization parameters:
The method used to sign the request. For signature version 4,
use the value
A slash('/')-separated string that is formed by concatenating
your Access Key ID and your credential scope components.
Credential scope comprises the date (YYYYMMDD), the AWS region,
the service name, and a special termination string
aws4_request). For example, the following
string represents the Credential parameter for an IAM request in
the US East Region.
You must use lowercase characters for the region, service name, and special termination string.
A semicolon(';')-delimited list of HTTP headers to include in the signature.
A hexadecimal-encoded string that represents the output of the signature operation described in Task 3: Calculate the AWS Signature Version 4. You must use the algorithm that you specify with the algorithm parameter to calculate the signature.
To view sample signed requests, see Signed Signature Version 4 Requests Examples.