Amazon Web Services General Reference
  (Version 1.0)
« PreviousNext »
Did this page help you?  Yes | No |  Tell us about it...

Task 2: Create a String to Sign for Signature Version 4

The string to sign includes meta information about your request and the canonical request that you created in Task 1: Create Canonical Request. You will use the string to sign and a derived key that you create later as inputs when you calculate the request signature (Task 3:Create a Signature).

To create the string to sign, concatenate the algorithm, date, credential scope, and the digest of the canonical request to construct the string to sign, as shown in the following pseudocode:

Structure of string to sign

StringToSign  =
Algorithm + '\n' +
RequestDate + '\n' +
CredentialScope + '\n' +
HashedCanonicalRequest))


As an example, let's construct the string to sign by using the same sample request from Task 1: Create A Canonical Request:

Sample HTTPS request

POST http://iam.amazonaws.com/ HTTP/1.1
host: iam.amazonaws.com
Content-type: application/x-www-form-urlencoded; charset=utf-8
x-amz-date: 20110909T233600Z

Action=ListUsers&Version=2010-05-08


To create the string to sign (Signature Version 4)

  1. Start with the algorithm designation, followed by a newline character. This value is the hashing algorithm that you're using to calculate the digests in the canonical request. (For SHA256, AWS4-HMAC-SHA256 is the algorithm.)

    AWS4-HMAC-SHA256\n
  2. Append the request date value, which is specified by using the ISO8601 Basic format via the x-amz-date header in the YYYYMMDD'T'HHMMSS'Z' format. This value must match the value you used in any previous steps.

    20110909T233600Z\n
  3. Append the credential scope value, which is a string that includes the date, the region you are targeting, the service you are requesting, and a termination string ("aws4_request") in lowercase characters. The region and service name strings must be UTF-8 encoded.

    20110909/us-east-1/iam/aws4_request\n
    • The date must be in the YYYYMMDD format. Note that the date does not include a time value.

    • For a list of regions, see Regions and Endpoints.

  4. Append the hashed canonical request that you created in task 1. The hashed canonical request must be lowercase base-16 encoded, as defined by Section 8 of RFC 4648.

    3511de7e95d28ecd39e9513b642aee07e54f4941150d8df8bf94b328ef7e55e2

The following string to sign is a request to IAM on September 09, 2011.

Sample string to sign

AWS4-HMAC-SHA256
20110909T233600Z
20110909/us-east-1/iam/aws4_request
3511de7e95d28ecd39e9513b642aee07e54f4941150d8df8bf94b328ef7e55e2