Amazon Web Services General Reference
  (Version 1.0)
« PreviousNext »
Go to the AWS Discussion Forum for this product.Did this page help you?  Yes | No |  Tell us about it...

Task 3: Calculate the AWS Signature Version 4

Signature Version 4 requires that you sign your message using a key that is derived from your secret access key rather than using the secret access key. To calculate a signature, you must first derive a signing key from your AWS secret access key. Then, you use the string to sign that you created in Task 2: Create a String to Sign for Signature Version 4 and your derived signing key as the inputs to a keyed hash function. The hex encoded result from the keyed hash function is the signature.

To calculate a signature

  1. Derive your signing key by using your secret access key to create a series of Hash-based Message Authentication Codes (HMACs) as shown by the following pseudocode, where HMAC(key, data) represents an HMAC-SHA256 function that returns output in binary format.

    Pseudocode for deriving a signing key

    kSecret = Your AWS Secret Access Key
kDate = HMAC("AWS4" + kSecret, Date)
kRegion = HMAC(kDate, Region)
kService = HMAC(kRegion, Service)
kSigning = HMAC(kService, "aws4_request")

    Ensure that you specify the HMAC parameters in the correct order (the key is the first parameter and the content is the second parameter). Some languages might reverse the order of these parameters.

    Use the digest for the key derivation. Most languages have functions to compute either a binary format hash, commonly called digest, or a hex encoded hash, called hexdigest. The key derivation requires that you use digest.

    As an example of a signing key, the follow two samples show sample inputs to deriving a signing key and the resulting output, where kSecret = wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY.

    The following example uses the same parameters from the sample request in Task 1 and Task 2 (a request to IAM in the us-east-1 region on September 09, 2011).

    Sample inputs

    HMAC(HMAC(HMAC(HMAC("AWS4" + kSecret,"20110909"),"us-east-1"),"iam"),"aws4_request")

    The follow example is the resulting signing key:

    Sample signing key

    kSigning = \x98\xf1\xd8\x89\xfe\xc4\xf4B\x1a\xdcR+\xab\x0c\xe1\xf8.i)\xc2b\xed\x15\xe5\xa9L\x90\xef\xd1\xe3\xb0\xe7

  2. Use your derived signing key and your string to sign as inputs to the keyed hash function that you use to calculate the signature.

    The following pseudocode shows how to calculate the signature.

    signature = HexEncode(HMAC(derived-signing-key, string-to-sign))

    The following example shows the resulting signature if you use the sample signing key and the sample string to sign from Task 2:

    Sample signature

    ced6826de92d2bdeed8f846f0bf508e8559e98e4b0199114b84c54174deb456c

Document Conventions« PreviousNext »
Terms of UseDid this page help you?  Yes | No |  Tell us about it...