Handling dates in Signature Version 4
The date that you use as part of your credential scope must match the date of your
request. You can include the date as part of your request in several ways. You can
use a
date
header, an x-amz-date
header or include
x-amz-date
as a query parameter. For example requests, see Examples of the complete Signature Version 4 signing
process (Python).
The time stamp must be in UTC and in the following ISO 8601 format: YYYYMMDD'T'HHMMSS'Z'.
For example, 20150830T123600Z
is a valid time stamp. Do not include milliseconds
in the time stamp.
AWS first checks the
header or parameter for a time
stamp. If AWS can't find a value for x-amz-date
x-amz-date
, it looks for the
date
header. AWS then checks the credential scope for an eight-digit string
representing the year (YYYY), month (MM), and day (DD) of the request. For example,
if the
header value is x-amz-date
20111015T080000Z
and the
date component of the credential scope is 20111015
, AWS allows the
authentication process to proceed.
If the dates don't match, AWS rejects the request, even if the time stamp is only
seconds away from the date in the credential scope. For example, AWS will reject a
request
that has an
header value of x-amz-date
20151014T235959Z
and a credential scope that has the date 20151015
.