Amazon Web Services General Reference
  (Version 1.0)
« PreviousNext »
Did this page help you?  Yes | No |  Tell us about it...

Task 2: Create a String to Sign for Signature Version 4

The string to sign includes meta information about your request and the canonical request that you created in Task 1: Create Canonical Request. You will use the string to sign and a derived key that you create later as inputs when you calculate the request signature (Task 3:Create a Signature).

To create the string to sign, concatenate the algorithm, date, credential scope, and the digest of the canonical request to construct the string to sign, as shown in the following pseudocode:

Structure of string to sign

StringToSign  =
Algorithm + '\n' +
RequestDate + '\n' +
CredentialScope + '\n' +

As an example, let's construct the string to sign by using the same sample request from Task 1: Create A Canonical Request:

Sample HTTPS request

Content-type: application/x-www-form-urlencoded; charset=utf-8
x-amz-date: 20110909T233600Z


To create the string to sign (Signature Version 4)

  1. Start with the algorithm designation, followed by a newline character. This value is the hashing algorithm that you're using to calculate the digests in the canonical request. (For SHA256, AWS4-HMAC-SHA256 is the algorithm.)

  2. Append the request date value, which is specified by using the ISO8601 Basic format via the x-amz-date header in the YYYYMMDD'T'HHMMSS'Z' format. This value must match the value you used in any previous steps.

  3. Append the credential scope value, which is a string that includes the date, the region you are targeting, the service you are requesting, and a termination string ("aws4_request") in lowercase characters. The region and service name strings must be UTF-8 encoded.

    • The date must be in the YYYYMMDD format. Note that the date does not include a time value.

    • For a list of regions, see Regions and Endpoints.

  4. Append the hashed canonical request that you created in task 1. The hashed canonical request must be lowercase base-16 encoded, as defined by Section 8 of RFC 4648.


The following string to sign is a request to IAM on September 09, 2011.

Sample string to sign