Menu
Amazon Web Services
General Reference (Version 1.0)

Task 2: Create a String to Sign for Signature Version 4

The string to sign includes meta information about your request and about the canonical request that you created in Task 1: Create a Canonical Request for Signature Version 4. You will use the string to sign and a derived signing key that you create later as inputs to calculate the request signature in Task 3: Calculate the Signature for AWS Signature Version 4.

To create the string to sign, concatenate the algorithm, date and time, credential scope, and digest of the canonical request, as shown in the following pseudocode:

Structure of string to sign

Copy
StringToSign = Algorithm + \n + RequestDateTime + \n + CredentialScope + \n + HashedCanonicalRequest

The following example shows how to construct the string to sign with the same request from Task 1: Create A Canonical Request.

Example Example HTTPS request

Copy
GET https://iam.amazonaws.com/?Action=ListUsers&Version=2010-05-08 HTTP/1.1 Host: iam.amazonaws.com Content-Type: application/x-www-form-urlencoded; charset=utf-8 X-Amz-Date: 20150830T123600Z

To create the string to sign

  1. Start with the algorithm designation, followed by a newline character. This value is the hashing algorithm that you use to calculate the digests in the canonical request. For SHA256, AWS4-HMAC-SHA256 is the algorithm.

    Copy
    AWS4-HMAC-SHA256\n
  2. Append the request date value, followed by a newline character. The date is specified with ISO8601 basic format in the x-amz-date header in the format YYYYMMDD'T'HHMMSS'Z'. This value must match the value you used in any previous steps.

    Copy
    20150830T123600Z\n
  3. Append the credential scope value, followed by a newline character. This value is a string that includes the date, the region you are targeting, the service you are requesting, and a termination string ("aws4_request") in lowercase characters. The region and service name strings must be UTF-8 encoded.

    Copy
    20150830/us-east-1/iam/aws4_request\n
    • The date must be in the YYYYMMDD format. Note that the date does not include a time value.

    • Verify that the region you specify is the region that you are sending the request to. See AWS Regions and Endpoints.

  4. Append the hash of the canonical request that you created in Task 1: Create a Canonical Request for Signature Version 4. This value is not followed by a newline character. The hashed canonical request must be lowercase base-16 encoded, as defined by Section 8 of RFC 4648.

    Copy
    f536975d06c0309214f805bb90ccff089219ecd68b2577efef23edd43b7e1a59

The following string to sign is a request to IAM on August 30, 2015.

Example Example string to sign

Copy
AWS4-HMAC-SHA256 20150830T123600Z 20150830/us-east-1/iam/aws4_request f536975d06c0309214f805bb90ccff089219ecd68b2577efef23edd43b7e1a59