Task 4: Add the Signing Information to the Request
After you calculate the signature, you add it to the request. You can add the signing information to a request in one of two ways:
An HTTP header named
The query string
You cannot pass signing information in both the
Authorization header and
the query string.
You can use temporary security credentials provided by the AWS Security Token Service (AWS STS) to sign a
request. The process is the same as using long-term credentials, but requires an
additional HTTP header or query string parameter for the security token. The name of the
header or query string parameter is
X-Amz-Security-Token, and the value is
the session token (the string you received from AWS STS when you obtained temporary security
When you add the
X-Amz-Security-Token parameter to the query string, some
services require that you include this parameter in the canonical (signed) request. For
other services, you add this parameter at the end, after you calculate the signature. For
details, see the API reference documentation for that service.
Adding Signing Information to the Authorization Header
You can include signing information by adding it to an HTTP header named
Authorization. The contents of the header are created after you calculate
the signature as described in the preceding steps, so the
header is not included in the list of signed headers. Although the header is named
Authorization, the signing information is actually used for
The following pseudocode shows the construction of the
access key ID/
credential scope, SignedHeaders=
The following example shows a finished
Authorization: AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20150830/us-east-1/iam/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=5d672d79c15b13162d9279b0855cfba6789a8edb4c82c400e06b5924a6f2b5d7
Note the following:
There is no comma between the algorithm and
Credential. However, the
Signatureare separated from the preceding values with a comma.
Credentialvalue starts with the access key ID, which is followed by a forward slash (
/), which is followed by the credential scope that you calculated in Task 2: Create a String to Sign for Signature Version 4. The secret access key is used to derive the signing key for the signature, but is not included in the signing information sent in the request.
Adding Signing Information to the Query String
You can make requests and pass all request values in the query string, including signing information. This is sometimes referred to as a presigned URL, because it produces a single URL with everything required in order to make a successful call to AWS. It's commonly used in Amazon S3. For more information, see Authenticating Requests by Using Query Parameters (AWS Signature Version 4) in the Amazon Simple Storage Service API Reference.
If you make a request in which all parameters are included in the query string, the
resulting URL represents an AWS action that is already authenticated. Therefore, treat
the resulting URL with as much caution as you would treat your actual credentials. We
recommend you specify a short expiration time for the request with the
When you use this approach, all the query string values (except the signature) are included in the canonical query string that is part of the canonical query that you construct in the first part of the signing process.
The following pseudocode shows the construction of a query string that contains all request parameters.
querystring = Action=
actionquerystring += &X-Amz-Algorithm=
algorithmquerystring += &X-Amz-Credential= urlencode(
access_key_ID+ '/' +
credential_scope) querystring += &X-Amz-Date=
datequerystring += &X-Amz-Expires=
timeout intervalquerystring += &X-Amz-SignedHeaders=
After the signature is calculated (which uses the other query string values as part of
the calculation), you add the signature to the query string as the
querystring += &X-Amz-Signature=
The following example shows what a request might look like when all the request parameters and the signing information are included in query string parameters.
Note the following:
For the signature calculation, query string parameters must be sorted in code point order from low to high, and their values must be URI-encoded. See the step about creating a canonical query string in Task 1: Create a Canonical Request for Signature Version 4.
Set the timeout interval (
X-Amz-Expires) to the minimal viable time for the operation you're requesting.