Amazon Web Services
General Reference (Version 1.0)

Signing AWS Requests with Signature Version 4

This section explains how to create a signature and add it to a request.

What Signing Looks Like in a Request

The following example shows what an HTTPS request might look like as it is sent from your client to AWS, without any signing information.

Content-Type: application/x-www-form-urlencoded; charset=utf-8
X-Amz-Date: 20150830T123600Z

After you complete the signing tasks, you add the authentication information to the request. You can add the authentication information in two ways:

Authorization header

You can add the authentication information to the request with an Authorization header. Although the HTTP header is named Authorization, the signing information is actually used for authentication to establish who the request came from.

The Authorization header includes the following information:

  • Algorithm you used for signing (AWS4-HMAC-SHA256)

  • Credential scope (with your access key ID)

  • List of signed headers

  • Calculated signature. The signature is based on your request information, and you use your AWS secret access key to produce the signature. The signature confirms your identity to AWS.

The following example shows what the preceding request might look like after you've created the signing information and added it to the request in the Authorization header.

Authorization: AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20150830/us-east-1/iam/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=5d672d79c15b13162d9279b0855cfba6789a8edb4c82c400e06b5924a6f2b5d7
content-type: application/x-www-form-urlencoded; charset=utf-8
x-amz-date: 20150830T123600Z

Query string

As an alternative to adding authentication information with an HTTP request header, you can include it in the query string. The query string contains everything that is part of the request, including the name and parameters for the action, the date, and the authentication information.

The following example shows how you might construct a GET request with the action and authentication information in the query string.

content-type: application/x-www-form-urlencoded; charset=utf-8

GET and POST Requests in the Query API

The query API that many AWS services support lets you make requests using either HTTP GET or POST. (In the query API, you can use GET even if you're making requests that change state; that is, the query API is not inherently RESTful.) Because GET requests pass parameters on the query string, they are limited to the maximum length of a URL. If a request includes a large payload (for example, you might upload a large IAM policy or send many parameters in JSON format for a DynamoDB request), you generally use a POST request.

The signing process is the same for both types of requests.

Summary of Signing Steps

To create a signed request, complete the following:

  • Task 1: Create a Canonical Request for Signature Version 4

    Arrange the contents of your request (host, action, headers, etc.) into a standard (canonical) format. The canonical request is one of the inputs used to create a string to sign.

  • Task 2: Create a String to Sign for Signature Version 4

    Create a string to sign with the canonical request and extra information such as the algorithm, request date, credential scope, and the digest (hash) of the canonical request.

  • Task 3: Calculate the AWS Signature Version 4

    Derive a signing key by performing a succession of keyed hash operations (HMAC operations) on the request date, region, and service, with your AWS secret access key as the key for the initial hashing operation. After you derive the signing key, you then calculate the signature by performing a keyed hash operation on the string to sign. Use the derived signing key as the hash key for this operation.

  • Task 4: Add the Signing Information to the Request

    After you calculate the signature, add it to an HTTP header or to the query string of the request.


The AWS SDKs handle the signature calculation process for you, so you do not have to manually complete the signing process. For more information, see Tools for Amazon Web Services.

The following additional resources illustrate aspects of the signing process:

  • Examples of How to Derive a Version 4 Signing Key. This page shows how to derive a signing key using Java, C#, Python, Ruby, and JavaScript.

  • Examples of the Complete Version 4 Signing Process (Python). This set of programs in Python provide complete examples of the signing process. The examples show signing with a POST request, with a GET request that has signing information in a request header, and with a GET request that has signing information in the query string.

  • Signature Version 4 Test Suite. This downloadable package contains a collection of examples that include signature information for various steps in the signing process. You can use these examples to verify that your signing code is producing the correct results at each step of the process.