Task 4: Add the signature to the HTTP request
After you calculate the signature, add it to the request. You can add the signature to a request in one of two ways:
-
An HTTP header named
Authorization
-
The query string
You cannot pass signing information in both the Authorization
header and
the query string.
You can use temporary security credentials provided by the AWS Security Token Service (AWS STS) to sign a
request. The process is the same as using long-term credentials, but requires an
additional HTTP header or query string parameter for the security token. The name of the
header or query string parameter is X-Amz-Security-Token
, and the value is
the session token (the string you received from AWS STS when you obtained temporary security
credentials).
When you add the X-Amz-Security-Token
parameter to the query string, some
services require that you include this parameter in the canonical (signed) request. For
other services, you add this parameter at the end, after you calculate the signature. For
details, see the API reference documentation for that service.
Adding signing information to the authorization header
You can include signing information by adding it to an HTTP header named
Authorization
. The contents of the header are created after you calculate
the signature as described in the preceding steps, so the Authorization
header is not included in the list of signed headers. Although the header is named
Authorization
, the signing information is actually used for
authentication.
The following pseudocode shows the construction of the Authorization
header.
Authorization:
algorithm
Credential=access key ID
/credential scope
, SignedHeaders=SignedHeaders
, Signature=signature
The following example shows a finished Authorization
header.
Authorization: AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20150830/us-east-1/iam/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=5d672d79c15b13162d9279b0855cfba6789a8edb4c82c400e06b5924a6f2b5d7
Note the following:
-
There is no comma between the algorithm and
Credential
. However, theSignedHeaders
andSignature
are separated from the preceding values with a comma. -
The
Credential
value starts with the access key ID, which is followed by a forward slash (/
), which is followed by the credential scope that you calculated in Task 2: Create a string to sign for Signature Version 4. The secret access key is used to derive the signing key for the signature, but is not included in the signing information sent in the request.
Adding signing information to the Query string
You can make requests and pass all request values in the query string, including signing information. This is sometimes referred to as a presigned URL, because it produces a single URL with everything required in order to make a successful call to AWS. It's commonly used in Amazon S3. For more information, see Authenticating Requests by Using Query Parameters (AWS Signature Version 4) in the Amazon Simple Storage Service API Reference.
If you make a request in which all parameters are included in the query string, the
resulting URL represents an AWS action that is already authenticated. Therefore, treat
the resulting URL with as much caution as you would treat your actual credentials. We
recommend you specify a short expiration time for the request with the
X-Amz-Expires
parameter.
When you use this approach, all the query string values (except the signature) are included in the canonical query string that is part of the canonical query that you construct in the first part of the signing process.
The following pseudocode shows the construction of a query string that contains all request parameters.
querystring = Action=
action
querystring += &X-Amz-Algorithm=algorithm
querystring += &X-Amz-Credential= urlencode(access_key_ID
+ '/' +credential_scope
) querystring += &X-Amz-Date=date
querystring += &X-Amz-Expires=timeout interval
querystring += &X-Amz-SignedHeaders=signed_headers
After the signature is calculated (which uses the other query string values as part of
the calculation), you add the signature to the query string as the
X-Amz-Signature
parameter:
querystring += &X-Amz-Signature=
signature
The following example shows what a request might look like when all the request parameters and the signing information are included in query string parameters.
https://iam.amazonaws.com?Action=ListUsers&Version=2010-05-08&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIDEXAMPLE%2F20150830%2Fus-east-1%2Fiam%2Faws4_request&X-Amz-Date=20150830T123600Z&X-Amz-Expires=60&X-Amz-SignedHeaders=content-type%3Bhost&X-Amz-Signature=37ac2f4fde00b0ac9bd9eadeb459b1bbee224158d66e7ae5fcadb70b2d181d02
Note the following:
-
For the signature calculation, query string parameters must be sorted in code point order from low to high, and their values must be URI-encoded. See the step about creating a canonical query string in Task 1: Create a canonical request for Signature Version 4.
-
Set the timeout interval (
X-Amz-Expires
) to the minimal viable time for the operation you're requesting.