Handling dates in Signature Version 4 - AWS General Reference

Handling dates in Signature Version 4

The date that you use as part of your credential scope must match the date of your request. You can include the date as part of your request in several ways. You can use a date header, an x-amz-date header or include x-amz-date as a query parameter. For example requests, see Examples of the complete Signature Version 4 signing process (Python).

The time stamp must be in UTC and in the following ISO 8601 format: YYYYMMDD'T'HHMMSS'Z'. For example, 20150830T123600Z is a valid time stamp. Do not include milliseconds in the time stamp.

AWS first checks the x-amz-date header or parameter for a time stamp. If AWS can't find a value for x-amz-date, it looks for the date header. AWS then checks the credential scope for an eight-digit string representing the year (YYYY), month (MM), and day (DD) of the request. For example, if the x-amz-date header value is 20111015T080000Z and the date component of the credential scope is 20111015, AWS allows the authentication process to proceed.

If the dates don't match, AWS rejects the request, even if the time stamp is only seconds away from the date in the credential scope. For example, AWS will reject a request that has an x-amz-date header value of 20151014T235959Z and a credential scope that has the date 20151015.