Adding signing information to the authorization header Adding signing information to the Query string

Task 4: Add the signature to the HTTP request

After you calculate the signature, add it to the request. You can add the signature to a request in one of two ways:

An HTTP header named Authorization
The query string

You cannot pass signing information in both the Authorization header and the query string.

Note

You can use temporary security credentials provided by the AWS Security Token Service (AWS STS) to sign a request. The process is the same as using long-term credentials, but requires an additional HTTP header or query string parameter for the security token. The name of the header or query string parameter is X-Amz-Security-Token, and the value is the session token (the string you received from AWS STS when you obtained temporary security credentials).

When you add the X-Amz-Security-Token parameter to the query string, some services require that you include this parameter in the canonical (signed) request. For other services, you add this parameter at the end, after you calculate the signature. For details, see the API reference documentation for that service.

Adding signing information to the authorization header

You can include signing information by adding it to an HTTP header named Authorization. The contents of the header are created after you calculate the signature as described in the preceding steps, so the Authorization header is not included in the list of signed headers. Although the header is named Authorization, the signing information is actually used for authentication.

The following pseudocode shows the construction of the Authorization header.


Authorization: algorithm Credential=access key ID/credential scope, SignedHeaders=SignedHeaders, Signature=signature

The following example shows a finished Authorization header.


Authorization: AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20150830/us-east-1/iam/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=5d672d79c15b13162d9279b0855cfba6789a8edb4c82c400e06b5924a6f2b5d7

Note the following:

There is no comma between the algorithm and Credential. However, the SignedHeaders and Signature are separated from the preceding values with a comma.
The Credential value starts with the access key ID, which is followed by a forward slash (/), which is followed by the credential scope that you calculated in Task 2: Create a string to sign for Signature Version 4. The secret access key is used to derive the signing key for the signature, but is not included in the signing information sent in the request.

Adding signing information to the Query string

You can make requests and pass all request values in the query string, including signing information. This is sometimes referred to as a presigned URL, because it produces a single URL with everything required in order to make a successful call to AWS. It's commonly used in Amazon S3. For more information, see Authenticating Requests by Using Query Parameters (AWS Signature Version 4) in the Amazon Simple Storage Service API Reference.

Important

If you make a request in which all parameters are included in the query string, the resulting URL represents an AWS action that is already authenticated. Therefore, treat the resulting URL with as much caution as you would treat your actual credentials. We recommend you specify a short expiration time for the request with the X-Amz-Expires parameter.

When you use this approach, all the query string values (except the signature) are included in the canonical query string that is part of the canonical query that you construct in the first part of the signing process.

The following pseudocode shows the construction of a query string that contains all request parameters.


querystring = Action=action
querystring += &X-Amz-Algorithm=algorithm
querystring += &X-Amz-Credential= urlencode(access_key_ID + '/' + credential_scope)
querystring += &X-Amz-Date=date
querystring += &X-Amz-Expires=timeout interval
querystring += &X-Amz-SignedHeaders=signed_headers

After the signature is calculated (which uses the other query string values as part of the calculation), you add the signature to the query string as the X-Amz-Signature parameter:


querystring += &X-Amz-Signature=signature

The following example shows what a request might look like when all the request parameters and the signing information are included in query string parameters.


https://iam.amazonaws.com?Action=ListUsers&Version=2010-05-08&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIDEXAMPLE%2F20150830%2Fus-east-1%2Fiam%2Faws4_request&X-Amz-Date=20150830T123600Z&X-Amz-Expires=60&X-Amz-SignedHeaders=content-type%3Bhost&X-Amz-Signature=37ac2f4fde00b0ac9bd9eadeb459b1bbee224158d66e7ae5fcadb70b2d181d02

Note the following:

For the signature calculation, query string parameters must be sorted in code point order from low to high, and their values must be URI-encoded. See the step about creating a canonical query string in Task 1: Create a canonical request for Signature Version 4.
Set the timeout interval (X-Amz-Expires) to the minimal viable time for the operation you're requesting.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Task 3: Calculate the signature

Handling dates