Signature Version 4 Signing Process
The Signature Version 4 signing process describes how to add authentication information to AWS requests. For security, most requests to AWS must be signed with an access key (access key ID and secret access key). If you use the AWS Command Line Interface (CLI) or one of the AWS SDKs, those tools automatically sign requests for you, based on credentials that you specify when you configure the tools. However, if you make direct HTTP or HTTPS calls to AWS, you must sign the requests yourself.
To sign a request, you calculate a signature using a combination of information such as the AWS service, region, action, timestamp and your AWS access key. After you calculate the signature, you add it to the request as a parameter in the header of the request or as a query-string parameter.
When AWS receives the request, it performs the same steps that you completed to calculate the signature. AWS then compares the calculated signature to the one you send in the request. If the signatures match, the request is processed. If the signatures don't match, the request is denied.
The AWS SDKs support Signature Version 4. If you use one of the SDKs, you do not need to follow this process to manually complete the signing process. For more information about how to download and use the AWS SDKs, see Tools for Amazon Web Services.
For more information, see the following resources:
To get started with the signing process, see Signing AWS Requests with Signature Version 4.
For sample signed requests, see Examples of the Complete Version 4 Signing Process (Python).
If you have questions about Signature Version 4, post your question in the AWS Identity and Access Management discussion forum.