The string to sign includes meta information about your request and about the canonical request that you created in Task 1: Create Canonical Request. You will use the string to sign and a derived key that you create later as inputs when you calculate the request signature (Task 3:Create a Signature).
To create the string to sign, concatenate the algorithm, date, credential scope, and the digest of the canonical request, as shown in the following pseudocode:
Structure of string to sign
Algorithm+ '\n' +
RequestDate+ '\n' +
CredentialScope+ '\n' +
As an example, let's construct the string to sign by using the same sample request from Task 1: Create A Canonical Request:
Sample HTTPS request
POST https://iam.amazonaws.com/ HTTP/1.1 host: iam.amazonaws.com Content-type: application/x-www-form-urlencoded; charset=utf-8 x-amz-date: 20110909T233600Z Action=ListUsers&Version=2010-05-08
To create the string to sign (signature version 4)
Start with the algorithm designation, followed by a newline character. This value is the
hashing algorithm that you're using to calculate the digests in the
canonical request. (For SHA256,
AWS4-HMAC-SHA256 is the
Append the request date value, followed by a newline character. The date is specified by using the ISO8601 Basic format
x-amz-date header in the YYYYMMDD'T'HHMMSS'Z' format. This value
must match the value you used in any previous steps.
Append the credential scope value, followed by a newline character. This value is a string that includes the date (just
the date, not the date and time), the region you are targeting, the service you are
requesting, and a termination string ("
aws4_request") in lowercase
characters. The region and service name strings must be UTF-8 encoded.
The date must be in the
YYYYMMDD format. Note that the date does
not include a time value.
For a list of regions, see Regions and Endpoints. Be sure that the region you specify here is the region that you are sending the request to.
Append the hash of the canonical request that you created in task 1. This value is not followed by a newline character. The hashed canonical request must be lowercase base-16 encoded, as defined by Section 8 of RFC 4648.
The following string to sign is a request to IAM on September 09, 2011.
Sample string to sign
AWS4-HMAC-SHA256 20110909T233600Z 20110909/us-east-1/iam/aws4_request 3511de7e95d28ecd39e9513b642aee07e54f4941150d8df8bf94b328ef7e55e2