Signing AWS API Requests
When you send HTTP requests to AWS, you sign the requests so that AWS can identify who
sent them. You sign requests with your AWS access key, which consists of an access key ID and
secret access key. Some requests do not need to be signed, such as anonymous requests to
Amazon Simple Storage Service (Amazon S3) and some API operations in AWS Security Token Service (AWS STS) such as
You need to learn how to sign HTTP requests only when you manually create them. When you use the AWS Command Line Interface (AWS CLI) or one of the AWS SDKs to make requests to AWS, these tools automatically sign the requests for you with the access key that you specify when you configure the tools. When you use these tools, you don't need to learn how to sign requests yourself.
AWS currently supports two signature versions: Signature Version 2 and Signature Version 4. Most services support Signature Version 4, which is the recommended version.
When Do You Need to Sign Requests?
When you write custom code to send HTTP requests to AWS, you need to include code to sign the requests. You might do this for the following reasons:
You are working with a programming language for which there is no AWS SDK.
You want complete control over how a request is sent to AWS.
You don't need to sign a request when you use the AWS Command Line Interface (AWS CLI) or one of the AWS SDKs. These tools manage the connection details, such as calculating signatures, handling request retries, and error handling. In most cases, they also contain sample code, tutorials, and other resources to help you get started writing applications that interact with AWS.
Why Requests Are Signed
The signing process helps secure requests in the following ways:
Verify the identity of the requester
Signing makes sure that the request has been sent by someone with a valid access key. For more information, see How Do I Get Security Credentials?
Protect data in transit
To prevent tampering with a request while it's in transit, some of the request elements are used to calculate a hash (digest) of the request, and the resulting hash value is included as part of the request. When an AWS service receives the request, it uses the same information to calculate a hash and matches it against the hash value in your request. If the values don't match, AWS denies the request.
Protect against potential replay attacks
In most cases, a request must reach AWS within five minutes of the time stamp in the request. Otherwise, AWS denies the request.
To sign a request, you calculate a hash (digest) of the request, and then use the hash value with some other values from the request and your access key to create a signed hash; this is the signature.
You add the signature to a request in one of the following ways:
Add the signature to the request using the HTTP
Add the signature as a query string value to the request. Because the request signature is part of the URL, this type of URL is called a presigned URL.