Task 2: Create a String to Sign for Signature Version 4
The string to sign includes meta information about your request and about the canonical request that you created in Task 1: Create a Canonical Request for Signature Version 4. You will use the string to sign and a derived signing key that you create later as inputs to calculate the request signature in Task 3: Calculate the Signature for AWS Signature Version 4.
To create the string to sign, concatenate the algorithm, date, credential scope, and the digest of the canonical request, as shown in the following pseudocode:
Structure of string to sign
Algorithm+ '\n' +
RequestDate+ '\n' +
CredentialScope+ '\n' +
The following example shows how to construct the string to sign with the same request from Task 1: Create A Canonical Request.
Example HTTPS request
GET https://iam.amazonaws.com/?Action=ListUsers&Version=2010-05-08 HTTP/1.1 Host: iam.amazonaws.com Content-Type: application/x-www-form-urlencoded; charset=utf-8 X-Amz-Date: 20150830T123600Z
To create the string to sign
Start with the algorithm designation, followed by a newline character. This value is the hashing algorithm that you use to calculate the digests in the canonical request. For SHA256,
AWS4-HMAC-SHA256is the algorithm.
Append the request date value, followed by a newline character. The date is specified with ISO8601 basic format in the
x-amz-dateheader in the format YYYYMMDD'T'HHMMSS'Z'. This value must match the value you used in any previous steps.
Append the credential scope value, followed by a newline character. This value is a string that includes the date, the region you are targeting, the service you are requesting, and a termination string ("
aws4_request") in lowercase characters. The region and service name strings must be UTF-8 encoded.
The date must be in the
YYYYMMDDformat. Note that the date does not include a time value.
Verify that the region you specify is the region that you are sending the request to. See AWS Regions and Endpoints.
Append the hash of the canonical request that you created in Task 1: Create a Canonical Request for Signature Version 4. This value is not followed by a newline character. The hashed canonical request must be lowercase base-16 encoded, as defined by Section 8 of RFC 4648.
The following string to sign is a request to IAM on August 30, 2015.
Example string to sign
AWS4-HMAC-SHA256 20150830T123600Z 20150830/us-east-1/iam/aws4_request f536975d06c0309214f805bb90ccff089219ecd68b2577efef23edd43b7e1a59