Amazon Web Services
General Reference (Version 1.0)

Elements of an AWS Signature Version 4 Request

Each HTTP/HTTPS request that uses version 4 signing must contain these elements.

  • Endpoint Specification

  • Action

  • Required and Optional Parameters

  • Date

  • Authentication Parameters

Endpoint Specification

This is specified as the Host header in HTTP/1.1 requests. This header specifies the DNS name of the computer to which you send the request, like dynamodb.us-east-1.amazonaws.com.

You must include the Host header with HTTP/1.1 requests. For HTTP/2 requests, you can use the :authority header or the Host header. Use only the :authority header for compliance with the HTTP/2 specification. Not all services support HTTP/2 requests, so check the service documentation for details.

The endpoint usually contains the service name and region, both of which you must use as part of the Credential authentication parameter. For example, the Amazon DynamoDB endpoint for the eu-west-1 region is dynamodb.eu-west-1.amazonaws.com. If you don't specify a region, a web service uses the default region, us-east-1. If you use a service like IAM that uses a globally unique endpoint, use the default region (us-east-1), as part of the Credential authentication parameter (described later in this topic).

For a complete list of endpoints supported by AWS, see Regions and Endpoints.

Action

This element specifies the action that you want a web service to perform, such as the DynamoDB CreateTable action or the Amazon EC2 DescribeInstances action. The specified action determines the parameters used in the request. For query APIs, the action is an API name. For non-query APIs (such as RESTful APIs), see the service documentation for the appropriate actions.

Required and Optional Parameters

This element specifies the parameters to the request action. Each action in a web service has a set of required and optional parameters that define an API call. The API version is usually a required parameter. See the service documentation for the details of required and optional parameters.

Date

This is the date and time at which you make the request. Including the date in the request helps prevent third parties from intercepting your request and resubmitting it later. The date is specified using the ISO8601 Basic format via the x-amz-date header in the YYYYMMDD'T'HHMMSS'Z' format.

Authentication Parameters

Each request that you send must include the following set of parameters that AWS uses to ensure the validity and authenticity of the request.

  • Algorithm. The hash algorithm that you're using as part of the signing process. For example, if you use SHA-256 to create hashes, use the value AWS4-HMAC-SHA256.

  • Credential scope. A string separated by slashes ("/") that is formed by concatenating your access key ID and your credential scope components. Credential scope includes the date in YYYYMMDD format, the AWS region, the service name, and a special termination string (aws4_request). For example, the following string represents the Credential parameter for an IAM request in the us-east-1 region.

    AKIAIOSFODNN7EXAMPLE/20111015/us-east-1/iam/aws4_request

    Important

    You must use lowercase characters for the region, service name, and special termination string.

  • SignedHeaders A list delimited by semicolons (";") of HTTP/HTTPS headers to include in the signature.

  • Signature A hexadecimal-encoded string that represents the output of the signature operation described in Task 3: Calculate the Signature for AWS Signature Version 4. You must calculate the signature using the algorithm that you specified in the Algorithm parameter.

To view sample signed requests, see Examples of the Complete Version 4 Signing Process (Python).