Amazon Web Services
General Reference (Version 1.0)

Task 3: Calculate the AWS Signature Version 4

Before you calculate a signature, you derive a signing key from your AWS secret access key. Because the derived signing key is specific to date, service, and region, it offers a greater degree of protection. You don't just use your secret access key to sign the request. You then use the signing key and the string to sign that you created in Task 2: Create a String to Sign for Signature Version 4 as the inputs to a keyed hash function. The hex-encoded result from the keyed hash function is the signature.

To calculate a signature

  1. Derive your signing key. To do this, use your secret access key to create a series of hash-based message authentication codes (HMACs). This is shown in the following pseudocode, where HMAC(key, data) represents an HMAC-SHA256 function that returns output in binary format. The result of each hash function becomes input for the next one.

    Pseudocode for deriving a signing key

    kSecret = Your AWS Secret Access Key
    kDate = HMAC("AWS4" + kSecret, Date)
    kRegion = HMAC(kDate, Region)
    kService = HMAC(kRegion, Service)
    kSigning = HMAC(kService, "aws4_request")

    Note that the date used in the hashing process is in the format YYYYMMDD (for example, 20150830), and does not include the time.

    Make sure you specify the HMAC parameters in the correct order for the programming language you are using. This example shows the key as the first parameter and the content as the second parameter, but the function that you use might specify the key and content in a different order.

    Use the digest for the key derivation. Most languages have functions to compute either a binary format hash, commonly called a digest, or a hex-encoded hash, called a hexdigest. The key derivation requires you use a digest.

    The following example show the inputs to derive a signing key and the resulting output, where kSecret = wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY.

    The example uses the same parameters from the request in Task 1 and Task 2 (a request to IAM in the us-east-1 region on August 30, 2015).

    Example inputs

    HMAC(HMAC(HMAC(HMAC("AWS4" + kSecret,"20150830"),"us-east-1"),"iam"),"aws4_request")

    The following example shows the derived signing key that results from this sequence of HMAC hash operations. This shows the integer representation of each byte in the binary derived signing key.

    Example signing key

    196 175 177 204 87 113 216 113 118 58 57 62 68 183 3 87 27 85 204 40 66 77 26 94 134 218 110 211 193 84 164 185

  2. Calculate the signature. To do this, use the signing key that you derived and the string to sign as inputs to the keyed hash function. After you calculate the signature as a digest, convert the binary value to a hexadecimal representation.

    The following pseudocode shows how to calculate the signature.

    signature = HexEncode(HMAC(derived-signing-key, string-to-sign))

    The following example shows the resulting signature if you use the same signing key and the string to sign from Task 2:

    Example signature



For examples of how to derive a signing key using Java, C#, Python, Ruby, and JavaScript, see Examples of How to Derive a Version 4 Signing Key.