Amazon Simple Storage Service
API Reference (API Version 2006-03-01)

Authenticating Requests in Browser-Based Uploads Using POST (AWS Signature Version 4)

Amazon S3 supports HTTP POST requests so that users can upload content directly to Amazon S3. By using POST, end users can authenticate requests without having to pass data through a secure intermediary node that protects your credentials. Thus, HTTP POST has the potential to reduce latency.

The following figure shows an Amazon S3 upload using a POST request.

Uploading Using POST

1 The user accesses your page from a web browser.
2 Your web page contains an HTTP form that contains all the information necessary for the user to upload content to Amazon S3.
3 The user uploads content to Amazon S3 through the web browser.

The process for sending browser-based POST requests is as follows:

  1. Create a security policy specifying conditions restricting what you want to allow in the request, such as bucket name where objects can be uploaded, key name prefixes that you want to allow for the object being created.

  2. Create signature that is based on the policy. For authenticated requests, the form must include a valid signature and the policy.

  3. Create an HTML form that your users can access in order to upload objects to your Amazon S3 bucket.

The following section describes how to create a signature to authenticate a request. For information about creating forms and security policies, see Creating an HTML Form (Using AWS Signature Version 4).

Calculating a Signature

For authenticated requests, the HTML form must include fields for a security policy and a signature.

To Calculate a signature

  1. Create a policy using UTF-8 encoding.

  2. Convert the UTF-8-encoded policy bytes to Base64. The result is the StringToSign.

  3. Create a signing key.

  4. Use the signing key to sign the StringToSign using HMAC-SHA256 signing algorithm.

For more information about creating HTML forms, security policies, and an example, see the following: