|« PreviousNext »|
|Did this page help you? Yes | No | Tell us about it...|
The string to sign includes meta information about your request and the canonical request that you created in Task 1: Create Canonical Request. You will use the string to sign and a derived key that you create later as inputs when you calculate the request signature (Task 3:Create a Signature).
To create the string to sign, concatenate the algorithm, date, credential scope, and the digest of the canonical request to construct the string to sign, as shown in the following pseudocode:
Structure of string to sign
Algorithm+ '\n' +
RequestDate+ '\n' +
CredentialScope+ '\n' +
As an example, let's construct the string to sign by using the same sample request from Task 1: Create A Canonical Request:
Sample HTTPS request
POST http://iam.amazonaws.com/ HTTP/1.1 host: iam.amazonaws.com Content-type: application/x-www-form-urlencoded; charset=utf-8 x-amz-date: 20110909T233600Z Action=ListUsers&Version=2010-05-08
To create the string to sign (Signature Version 4)
Start with the algorithm designation, followed by a newline character. This
value is the hashing algorithm that you're using to calculate the digests in
the canonical request. (For SHA256,
AWS4-HMAC-SHA256 is the
Append the request date value, which is specified by using the ISO8601 Basic
format via the
x-amz-date header in the YYYYMMDD'T'HHMMSS'Z'
format. This value must match the value you used in any previous steps.
Append the credential scope value, which is a string that includes the date,
the region you are targeting, the service you are requesting, and a
termination string ("
aws4_request") in lowercase characters. The region and
service name strings must be UTF-8 encoded.
The date must be in the
YYYYMMDD format. Note that the date does not include
a time value.
For a list of regions, see Regions and Endpoints.
Append the hashed canonical request that you created in task 1. The hashed canonical request must be lowercase base-16 encoded, as defined by Section 8 of RFC 4648.
The following string to sign is a request to IAM on September 09, 2011.
Sample string to sign
AWS4-HMAC-SHA256 20110909T233600Z 20110909/us-east-1/iam/aws4_request 3511de7e95d28ecd39e9513b642aee07e54f4941150d8df8bf94b328ef7e55e2