Elements of an AWS Signature Version 4 request
Each HTTP/HTTPS request that uses version 4 signing must contain these elements.
Endpoint Specification
Action
Required and Optional Parameters
Date
Authentication Parameters
Endpoint specification
This is specified as the Host
header in HTTP/1.1 requests.
This header specifies the DNS name of the computer to which you send the request, like
dynamodb.us-east-1.amazonaws.com
.
You must include the Host
header with HTTP/1.1 requests. For HTTP/2 requests, you
can use the :authority
header or the Host
header.
Use only the :authority
header for compliance with the HTTP/2 specification. Not all services support HTTP/2
requests, so check the service documentation for details.
The endpoint usually contains the service name and Region, both of which you must use
as part of the Credential
authentication parameter. For example, the
Amazon DynamoDB endpoint for the eu-west-1 Region is
dynamodb.eu-west-1.amazonaws.com
. If you don't specify a
Region, a web service uses the default Region, us-east-1
. If you
use a service like IAM that uses a globally unique endpoint, use the default Region
(us-east-1
), as part of the Credential
authentication parameter (described later in this topic).
For a complete list of endpoints supported by AWS, see Regions and Endpoints.
Action
This element specifies the action that you want a web service to perform, such as the DynamoDB CreateTable
action
or the Amazon EC2 DescribeInstances
action. The specified action determines the parameters used in the request. For query APIs, the action
is an API name. For non-query APIs (such as RESTful APIs), see the service documentation for the appropriate actions.
Required and optional parameters
This element specifies the parameters to the request action. Each action in a web service has a set of required and optional parameters that define an API call. The API version is usually a required parameter. See the service documentation for the details of required and optional parameters.
Date
This is the date and time at which you make
the request. Including the date in the request helps prevent third parties from
intercepting your request and resubmitting it later. The date is specified using
the ISO8601 Basic format via the x-amz-date
header in the
YYYYMMDD'T'HHMMSS'Z'
format.
Authentication parameters
Each request that you send must include the following set of parameters that AWS uses to ensure the validity and authenticity of the request.
-
Algorithm. The hash algorithm that you're using as part of the signing process. For example, if you use SHA-256 to create hashes, use the value
AWS4-HMAC-SHA256
. -
Credential scope. A string separated by slashes ("/") that is formed by concatenating your access key ID and your credential scope components. Credential scope includes the date in YYYYMMDD format, the AWS Region, the service name, and a special termination string (
aws4_request
). For example, the following string represents theCredential
parameter for an IAM request in the us-east-1 Region.AKIAIOSFODNN7EXAMPLE/20111015/us-east-1/iam/aws4_request
Important You must use lowercase characters for the Region, service name, and special termination string.
-
SignedHeaders A list delimited by semicolons (";") of HTTP/HTTPS headers to include in the signature.
-
Signature A hexadecimal-encoded string that represents the output of the signature operation described in Task 3: Calculate the signature for AWS Signature Version 4. You must calculate the signature using the algorithm that you specified in the
Algorithm
parameter.
To view sample signed requests, see Examples of the complete Signature Version 4 signing process (Python).