Amazon Web Services
General Reference (Version 1.0)

Signing AWS Requests with Signature Version 4

This section explains how to create a signature and add it to a request.

What Signing Looks Like in a Request

The following example shows what an HTTPS request might look like as it is sent from your client to AWS, without any signing information.

GET HTTP/1.1 Content-Type: application/x-www-form-urlencoded; charset=utf-8 Host: X-Amz-Date: 20150830T123600Z

After you complete the signing tasks, you add the authentication information to the request. You can add the authentication information in two ways:

Authorization header

You can add the authentication information to the request with an Authorization header. Although the HTTP header is named Authorization, the signing information is actually used for authentication to establish who the request came from.

The Authorization header includes the following information:

  • Algorithm you used for signing (AWS4-HMAC-SHA256)

  • Credential scope (with your access key ID)

  • List of signed headers

  • Calculated signature. The signature is based on your request information, and you use your AWS secret access key to produce the signature. The signature confirms your identity to AWS.

The following example shows what the preceding request might look like after you've created the signing information and added it to the request in the Authorization header.

GET HTTP/1.1 Authorization: AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20150830/us-east-1/iam/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=5d672d79c15b13162d9279b0855cfba6789a8edb4c82c400e06b5924a6f2b5d7 content-type: application/x-www-form-urlencoded; charset=utf-8 host: x-amz-date: 20150830T123600Z

Query string

As an alternative to adding authentication information with an HTTP request header, you can include it in the query string. The query string contains everything that is part of the request, including the name and parameters for the action, the date, and the authentication information.

The following example shows how you might construct a GET request with the action and authentication information in the query string.

GET HTTP/1.1 content-type: application/x-www-form-urlencoded; charset=utf-8 host:

GET and POST Requests in the Query API

The query API that many AWS services support lets you make requests using either HTTP GET or POST. (In the query API, you can use GET even if you're making requests that change state; that is, the query API is not inherently RESTful.) Because GET requests pass parameters on the query string, they are limited to the maximum length of a URL. If a request includes a large payload (for example, you might upload a large IAM policy or send many parameters in JSON format for a DynamoDB request), you generally use a POST request.

The signing process is the same for both types of requests.

Summary of Signing Steps

To create a signed request, complete the following:


The AWS SDKs handle the signature calculation process for you, so you do not have to manually complete the signing process. For more information, see Tools for Amazon Web Services.

The following additional resources illustrate aspects of the signing process:

  • Examples of How to Derive a Signing Key for Signature Version 4. This page shows how to derive a signing key using Java, C#, Python, Ruby, and JavaScript.

  • Examples of the Complete Version 4 Signing Process (Python). This set of programs in Python provide complete examples of the signing process. The examples show signing with a POST request, with a GET request that has signing information in a request header, and with a GET request that has signing information in the query string.

  • Signature Version 4 Test Suite. This downloadable package contains a collection of examples that include signature information for various steps in the signing process. You can use these examples to verify that your signing code is producing the correct results at each step of the process.