|« PreviousNext »|
|Did this page help you? Yes | No | Tell us about it...|
The Signature Version 4 signing specification describes how to construct signed requests to AWS. Whenever you send a request to AWS, you must include authorization information with your request so that AWS can verify the authenticity of the request. AWS uses the authorization information from your request to recreate your signature, and then compares that signature with the one that you sent. These two signatures must match for you to successfully access AWS.
Check whether the AWS SDK that you use supports Signature Version 4. If so, the SDK handles the signature calculation process for you so that you do not have to manually complete the signing process. For more information about how to download and use the AWS SDKs, go to Sample Code & Libraries.
To get started with the signing process, see Signing AWS Requests By Using Signature Version 4.
To see sample signed requests, see Signed Signature Version 4 Requests Examples.
If you have questions about Signature Version 4 that are not answered in this guide, please post your question in the AWS Identity and Access Management discussion forum.
The following services support Signature Version 4:
Amazon Relational Database Service (Amazon RDS)
Amazon Simple Notification Service (Amazon SNS)
Amazon Simple Queue Service (Amazon SQS)
Amazon Simple Storage Service (Amazon S3)
AWS Security Token Service (AWS STS)
Signature Version 4 is the latest AWS signing specification. Changes from the previous signing specifications are described in the following list:
You sign your message using a key that is derived from your secret access key rather than using the secret access key itself. For more information about deriving keys, see Task 3: Calculate the AWS Signature Version 4.
You derive your signing key based on credential scope, which is a concept that facilitates cryptographic isolation of the signing key. Credential scope is represented by a slash-separated string of dimensions in the following order:
Date information as an eight-digit string representing the year
(YYYY), month (MM), and day (DD) of the request (e.g.,
20120228). For more information about handling dates,
see Handling Dates in Signature Version 4.
Region information as a lowercase alphanumeric string. Use the region name that is part
of the service's endpoint. For services that use a globally unique
endpoint, such as IAM, use
Service name information as a lowercase alphanumeric string (for
iam). Use the service name that is part of the
service's endpoint. For example, the IAM endpoint is
so you use the string
part of the
A special termination string
You use the credential scope in each signing task:
You must include the credential scope as part of the Credential parameter in your authorization header/parameters when you create the canonical request in Task 1: Create a Canonical Request For Signature Version 4.
You must also include the credential scope as part of your string to sign in Task 2: Create a String to Sign for Signature Version 4.
Finally, you use the date, region, and service name components of the credential scope to derive your signing key in Task 3: Calculate the AWS Signature Version 4.
Each HTTP/HTTPS request that uses version 4 signing must contain the following components:
Host—Also known as the endpoint. This is the DNS name of the computer to which you send the request. For a complete list of endpoints supported by AWS, see Regions and Endpoints.
The endpoint usually contains the service name and region, both of which you must use as
part of the
Credential parameter. For example, the Amazon Simple Queue Service
(Amazon SQS) endpoint for the us-east-1 region is
represents the service name and
us-east-1 represents the
region. If the region name is not specified, a web service uses the default
If you use IAM, which uses a globally unique endpoint, use the default
us-east-1), as part of the
Action—Specifies the action that you want a web service to perform. This value determines the parameters that are used in the request. For query APIs, the action is an API name. For non-query APIs, refer to the service documentation for the correct actions.
Required and optional parameters—Each action in a web service has a set of required and optional parameters that define the API call.
Date—This is the date and time at which you make the
request. Including this in the request helps prevent third parties from
intercepting your request and resubmitting to a web service. The date is
specified using the ISO8601 Basic format via the
Authorization parameters—Each request that you send must include the following set of authorization parameters that AWS uses to ensure the validity and authenticity of the request.
Algorithm. The hash algorithm that you're using as part of the
signing process. For example, if you use SHA-256 to create hashes, use
Credential. A string separated by slashes ("/") that is formed by
concatenating your access key ID and your credential scope components.
Credential scope includes the date in YYYYMMDD format, the AWS region,
the service name, and a special termination string
aws4_request). For example, the following string represents
Credential parameter for an IAM request in the
You must use lowercase characters for the region, service name, and special termination string.
SignedHeaders A list delimited by semicolons (";") of HTTP headers to include in the signature.
Signature A hexadecimal-encoded string that represents the output
of the signature operation described in Task 3: Calculate the AWS Signature Version
4. You must calculate the
signature using the algorithm that you specified in the
To view sample signed requests, see Signed Signature Version 4 Requests Examples.