Amazon Web Services
General Reference (Version 1.0)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »

Task 2: Create a String to Sign for Signature Version 4

The string to sign includes meta information about your request and about the canonical request that you created in Task 1: Create Canonical Request. You will use the string to sign and a derived key that you create later as inputs when you calculate the request signature (Task 3:Create a Signature).

To create the string to sign, concatenate the algorithm, date, credential scope, and the digest of the canonical request, as shown in the following pseudocode:

Structure of string to sign

StringToSign  =
Algorithm + '\n' +
RequestDate + '\n' +
CredentialScope + '\n' +
HashedCanonicalRequest))


As an example, let's construct the string to sign by using the same sample request from Task 1: Create A Canonical Request:

Sample HTTPS request

POST https://iam.amazonaws.com/ HTTP/1.1
host: iam.amazonaws.com
Content-type: application/x-www-form-urlencoded; charset=utf-8
x-amz-date: 20110909T233600Z

Action=ListUsers&Version=2010-05-08


To create the string to sign (signature version 4)

  1. Start with the algorithm designation, followed by a newline character. This value is the hashing algorithm that you're using to calculate the digests in the canonical request. (For SHA256, AWS4-HMAC-SHA256 is the algorithm.)

    AWS4-HMAC-SHA256\n
  2. Append the request date value, followed by a newline character. The date is specified by using the ISO8601 Basic format via the x-amz-date header in the YYYYMMDD'T'HHMMSS'Z' format. This value must match the value you used in any previous steps.

    20110909T233600Z\n
  3. Append the credential scope value, followed by a newline character. This value is a string that includes the date (just the date, not the date and time), the region you are targeting, the service you are requesting, and a termination string ("aws4_request") in lowercase characters. The region and service name strings must be UTF-8 encoded.

    20110909/us-east-1/iam/aws4_request\n
    • The date must be in the YYYYMMDD format. Note that the date does not include a time value.

    • For a list of regions, see Regions and Endpoints. Be sure that the region you specify here is the region that you are sending the request to.

  4. Append the hash of the canonical request that you created in task 1. This value is not followed by a newline character. The hashed canonical request must be lowercase base-16 encoded, as defined by Section 8 of RFC 4648.

    3511de7e95d28ecd39e9513b642aee07e54f4941150d8df8bf94b328ef7e55e2

The following string to sign is a request to IAM on September 09, 2011.

Sample string to sign

AWS4-HMAC-SHA256
20110909T233600Z
20110909/us-east-1/iam/aws4_request
3511de7e95d28ecd39e9513b642aee07e54f4941150d8df8bf94b328ef7e55e2