Menu
Amazon Web Services
General Reference (Version 1.0)

Task 2: Create a String to Sign for Signature Version 4

The string to sign includes meta information about your request and about the canonical request that you created in Task 1: Create a Canonical Request for Signature Version 4. You will use the string to sign and a derived signing key that you create later as inputs to calculate the request signature in Task 3: Calculate the AWS Signature Version 4.

To create the string to sign, concatenate the algorithm, date, credential scope, and the digest of the canonical request, as shown in the following pseudocode:

Structure of string to sign

StringToSign  =
Algorithm + '\n' +
RequestDate + '\n' +
CredentialScope + '\n' +
HashedCanonicalRequest))


The following example shows how to construct the string to sign with the same request from Task 1: Create A Canonical Request.

Example HTTPS request

GET https://iam.amazonaws.com/?Action=ListUsers&Version=2010-05-08 HTTP/1.1
Host: iam.amazonaws.com
Content-Type: application/x-www-form-urlencoded; charset=utf-8
X-Amz-Date: 20150830T123600Z


To create the string to sign

  1. Start with the algorithm designation, followed by a newline character. This value is the hashing algorithm that you use to calculate the digests in the canonical request. For SHA256, AWS4-HMAC-SHA256 is the algorithm.

    AWS4-HMAC-SHA256\n
  2. Append the request date value, followed by a newline character. The date is specified with ISO8601 basic format in the x-amz-date header in the format YYYYMMDD'T'HHMMSS'Z'. This value must match the value you used in any previous steps.

    20150830T123600Z\n
  3. Append the credential scope value, followed by a newline character. This value is a string that includes the date, the region you are targeting, the service you are requesting, and a termination string ("aws4_request") in lowercase characters. The region and service name strings must be UTF-8 encoded.

    20150830/us-east-1/iam/aws4_request\n
    • The date must be in the YYYYMMDD format. Note that the date does not include a time value.

    • Verify that the region you specify is the region that you are sending the request to. See AWS Regions and Endpoints.

  4. Append the hash of the canonical request that you created in Task 1: Create a Canonical Request for Signature Version 4. This value is not followed by a newline character. The hashed canonical request must be lowercase base-16 encoded, as defined by Section 8 of RFC 4648.

    f536975d06c0309214f805bb90ccff089219ecd68b2577efef23edd43b7e1a59

The following string to sign is a request to IAM on August 30, 2015.

Example string to sign

AWS4-HMAC-SHA256
20150830T123600Z
20150830/us-east-1/iam/aws4_request
f536975d06c0309214f805bb90ccff089219ecd68b2577efef23edd43b7e1a59