Handling Dates in Signature Version 4

The date that you use as part of your credential scope must match the date of your request. You can include the date as part of your request in several different ways. For requests like the example POST request in Signed Signature Version 4 Requests Examples, you can use either a date header or an x-amz-date header. For requests like the example GET request in Signed Signature Version 4 Requests Examples, you can use either a date header or include x-amz-date as a query parameter.

For both types of requests, AWS looks first for the x-amz-date header or parameter. If AWS cannot find a value for x-amz-date, it uses the date header.

The date header expects a timestamp and the credential scope expects an eight-digit string representing the year (YYYY), month (MM), and day (DD) of the request. Requests are rejected if the two dates do not match. For example, if the date header contains the value 20111015T080000Z and the date component of the credential scope is 20111015, AWS allows the authentication process to proceed.

If the dates do not match, AWS will reject the request, even if the time stamp is only seconds away from matching the date component of the credential scope. For example, AWS will reject a request that has a date header value of 20111014T235959Z and a credential scope that includes the date 20111015.