Amazon Web Services
General Reference (Version 1.0)

Signature Version 4 Signing Process

The signature version 4 signing specification describes how to add authentication information to AWS requests—that is, how to sign AWS requests. As a security measure, most requests to AWS must be signed using an access key (access key ID and secret access key). If you use the AWS Command Line Interface (CLI) or one of the AWS SDKs, those tools all automatically sign requests for you, based on credentials that you specify when you configure the tools. But if you make direct HTTP or HTTPS calls to AWS, you must sign the requests yourself, using the procedure described here.

To sign a request, you calculate a signature that's based on a combination of information in the request (such as the AWS service, region, action, and time stamp) and your AWS access key. After you calculate the signature, you add it to the request as a parameter, either in the header of the request or as a query-string parameter.

When AWS receives the request, it performs the same steps that you did in order to calculate the signature. AWS then compares the signature that it calculates against the one that you send in the request. If the signatures match, the request is processed; if the signatures don't match, the request is denied.


The AWS SDKs support signature version 4. If you are using one of the SDKs, you do not need to follow this process to manually complete the signing process. For more information about how to download and use the AWS SDKs, go to the Tools for Amazon Web Services page.

To get started with the signing process, see Signing AWS Requests By Using Signature Version 4.

To see sample signed requests, see Examples of the Complete Version 4 Signing Process (Python).

If you have questions about Signature Version 4 that are not answered in this guide, please post your question in the AWS Identity and Access Management discussion forum.