Signature Calculations for the Authorization Header: Including Trailing Headers (Chunked Upload) (AWS Signature Version 4) - Amazon Simple Storage Service

Signature Calculations for the Authorization Header: Including Trailing Headers (Chunked Upload) (AWS Signature Version 4)

As described in the Overview, when authenticating requests using the Authorization header, you have an option of uploading the payload in chunks. This is covered in detail in Signature Calculations for the Authorization Header: Transferring Payload in Multiple Chunks (Chunked Upload) (AWS Signature Version 4). When you send the data for the object in chunks, you also have the option of including trailing headers. This section describes the steps you need to take when you want to include a trailing header at the end of your multiple chunk upload.


When you are including trailing headers, you must send the following in your initial header:

Trailing headers are only sent after the chunks have been uploaded. Previous chunks are sent as normal and signed as described in the previous sections, including sending the final chunk with a payload of 0 bytes. The trailing headers are included as their own chunk and sent after the final chunk with a payload of 0 bytes. For example, if your data ended with a 100 KB chunk, you would send the following:

  • Previous data chunks

  • 100 KB final chunk of the object

  • 0 bytes chunk signifying the end of the object

  • Trailing headers chunk

Example: PUT Object

You can use the examples in this section as a reference to check signature calculations in your code. Before you review the examples, note the following:

  • The signature calculations in these examples use the following example security credentials.

    Parameter Value
  • All examples use the request timestamp 20130524T000000Z (Fri, 24 May 2013 00:00:00 GMT).

  • All examples use examplebucket as the bucket name.

  • The bucket is assumed to be in the US East (N. Virginia) Region, and the credential Scope and the Signing Key calculations use us-east-1 as the Region specifier. For more information, see Regions and Endpoints in the Amazon Web Services General Reference.

  • You can use either path style or virtual-hosted style requests. The following examples use virtual-hosted style requests, for example:

    For more information, see Virtual Hosting of Buckets in the Amazon Simple Storage Service User Guide.

The following example sends a PUT request to upload an object. The signature calculations assume the following:

  • You are uploading a 65 KB text file, and the file content is a one-character string made up of the letter 'a'.

  • The chunk size is 64 KB. As a result, the payload is uploaded in three chunks, 64 KB, 1 KB, and the final chunk with 0 bytes of chunk data.

  • The resulting object has the key name chunkObject.txt.

  • You are requesting REDUCED_REDUNDANCY as the storage class by adding the x-amz-storage-class request header.

  • The transfer is including a CRC32 checksum value as a trailing header.

For information about the API action, see PutObject. The general request syntax is as follows:

PUT /examplebucket/chunkObject.txt HTTP/1.1 Host: x-amz-date: 20130524T000000Z x-amz-storage-class: REDUCED_REDUNDANCY Authorization: SignatureToBeCalculated x-amz-content-sha256: STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER Content-Encoding: aws-chunked x-amz-decoded-content-length: 66560 x-amz-trailer: x-amz-checksum-crc32 Content-Length: 66824 <Payload>

The following steps show signature calculations.

  1. Seed signature — Create String to Sign
    1. CanonicalRequest

      PUT /examplebucket/chunkObject.txt content-encoding:aws-chunked x-amz-content-sha256:STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER x-amz-date:20130524T000000Z x-amz-decoded-content-length:66560 x-amz-storage-class:REDUCED_REDUNDANCY x-amz-trailer:x-amz-checksum-crc32c content-encoding;host;x-amz-content-sha256;x-amz-date;x-amz-decoded-content-length;x-amz-storage-class;x-amz-trailer STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER

      In the canonical request, the third line is empty because there are no query parameters in the request. The last line is the constant string provided as the value of the hashed Payload, which should be same as the value of x-amz-content-sha256 header.

    2. StringToSign

      AWS4-HMAC-SHA256 20130524T000000Z 20130524/us-east-1/s3/aws4_request 44d48b8c2f70eae815a0198cc73d7a546a73a93359c070abbaa5e6c7de112559


      For information about each of line in the string to sign, see the diagram that explains seed signature calculation.

  2. SigningKey

    signing key = HMAC-SHA256(HMAC-SHA256(HMAC-SHA256(HMAC-SHA256("AWS4" + "<YourSecretAccessKey>","20130524"),"us-east-1"),"s3"),"aws4_request")

  3. Seed Signature


  4. Authorization header

    The resulting Authorization header is as follows:

    AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request,SignedHeaders=content-encoding;content-length;host;x-amz-content-sha256;x-amz-date;x-amz-decoded-content-length;x-amz-storage-class,Signature=106e2a8a18243abcf37539882f36619c00e2dfc72633413f02d3b74544bfeb8e

  5. Chunk 1: (65536 bytes, with value 97 for letter 'a')
    1. Chunk string to sign:

      AWS4-HMAC-SHA256-PAYLOAD 20130524T000000Z 20130524/us-east-1/s3/aws4_request 106e2a8a18243abcf37539882f36619c00e2dfc72633413f02d3b74544bfeb8e e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 bf718b6f653bebc184e1479f1935b8da974d701b893afcf49e701f3e2f9f9c5a


      For information about each line in the string to sign, see the preceding diagram that shows various components of the string to sign (for example, the last three lines are, previous-signature, hash(""), and hash(current-chunk-data)).

    2. Chunk signature:

    3. Chunk data sent:

      10000;chunk-signature=b474d8862b1487a5145d686f57f013e54db672cee1c953b3010fb58501ef5aa2 <65536-bytes>
  6. Chunk 2: (1024 bytes, with value 97 for letter 'a')
    1. Chunk string to sign:

      AWS4-HMAC-SHA256-PAYLOAD 20130524T000000Z 20130524/us-east-1/s3/aws4_request b474d8862b1487a5145d686f57f013e54db672cee1c953b3010fb58501ef5aa2 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 41edece42d63e8d9bf515a9ba6932e1c20cbc9f5a5d134645adb5db1b9737ea3
    2. Chunk signature:

    3. Chunk data sent:

      400;chunk-signature=041169d545f3f4a02fe2e3d066bfb1798dd5f3417ae8cecd0e43690aafbe79d1 <1024 bytes>
  7. Chunk 3: (0 byte data)
    1. Chunk string to sign:

      AWS4-HMAC-SHA256-PAYLOAD 20130524T000000Z 20130524/us-east-1/s3/aws4_request 041169d545f3f4a02fe2e3d066bfb1798dd5f3417ae8cecd0e43690aafbe79d1 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
    2. Chunk signature:

    3. Chunk data sent:

  8. Chunk 4: Trailing headers
    1. Trailer chunk string to sign:

      AWS4-HMAC-SHA256-TRAILER 20130524T000000Z 20130524/us-east-1/s3/aws4_request e05ab64fe1dfdbf0b5870abbaabdb063c371d4e96f2767e6934d90529c5ae850 2e4ab969aa65b1ad6def2db10e4d3a8260683d194dbaf757f90e8a37960a4b3c
    2. Chunk signature:

    3. Chunk data sent:

      x-amz-checksum-crc32c:wdBDMA== x-amz-trailer-signature:41e14ac611e27a8bb3d66c3bad6856f209297767d5dd4fc87d8fa9e422e03faf