Amazon Web Services
General Reference (Version 1.0)

Task 3: Calculate the Signature for AWS Signature Version 4

Before you calculate a signature, you derive a signing key from your AWS secret access key. Because the derived signing key is specific to the date, service, and region, it offers a greater degree of protection. You don't just use your secret access key to sign the request. You then use the signing key and the string to sign that you created in Task 2: Create a String to Sign for Signature Version 4 as the inputs to a keyed hash function. The hex-encoded result from the keyed hash function is the signature.

Signature Version 4 does not require that you use a particular character encoding to encode the string to sign. However, some AWS services might require a specific encoding. For more information, consult the documentation for that service.

To calculate a signature

  1. Derive your signing key. To do this, use your secret access key to create a series of hash-based message authentication codes (HMACs). This is shown in the following pseudocode, where HMAC(key, data) represents an HMAC-SHA256 function that returns output in binary format. The result of each hash function becomes input for the next one.

    Pseudocode for deriving a signing key

    kSecret = your secret access key
    kDate = HMAC("AWS4" + kSecret, Date)
    kRegion = HMAC(kDate, Region)
    kService = HMAC(kRegion, Service)
    kSigning = HMAC(kService, "aws4_request")

    Note that the date used in the hashing process is in the format YYYYMMDD (for example, 20150830), and does not include the time.

    Make sure you specify the HMAC parameters in the correct order for the programming language you are using. This example shows the key as the first parameter and the data (message) as the second parameter, but the function that you use might specify the key and data in a different order.

    Use the digest (binary format) for the key derivation. Most languages have functions to compute either a binary format hash, commonly called a digest, or a hex-encoded hash, called a hexdigest. The key derivation requires that you use a binary-formatted digest.

    The following example show the inputs to derive a signing key and the resulting output, where kSecret = wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY.

    The example uses the same parameters from the request in Task 1 and Task 2 (a request to IAM in the us-east-1 region on August 30, 2015).

    Example inputs

    HMAC(HMAC(HMAC(HMAC("AWS4" + kSecret,"20150830"),"us-east-1"),"iam"),"aws4_request")

    The following example shows the derived signing key that results from this sequence of HMAC hash operations. This shows the hexadecimal representation of each byte in the binary signing key.

    Example signing key


    For more information about how to derive a signing key in different programming languages, see Examples of How to Derive a Signing Key for Signature Version 4.

  2. Calculate the signature. To do this, use the signing key that you derived and the string to sign as inputs to the keyed hash function. After you calculate the signature as a digest, convert the binary value to a hexadecimal representation.

    The following pseudocode shows how to calculate the signature.

    signature = HexEncode(HMAC(derived signing key, string to sign))

    The following example shows the resulting signature if you use the same signing key and the string to sign from Task 2:

    Example signature