쿠키 기본 설정 선택

당사는 사이트와 서비스를 제공하는 데 필요한 필수 쿠키 및 유사한 도구를 사용합니다. 고객이 사이트를 어떻게 사용하는지 파악하고 개선할 수 있도록 성능 쿠키를 사용해 익명의 통계를 수집합니다. 필수 쿠키는 비활성화할 수 없지만 '사용자 지정' 또는 ‘거부’를 클릭하여 성능 쿠키를 거부할 수 있습니다.

사용자가 동의하는 경우 AWS와 승인된 제3자도 쿠키를 사용하여 유용한 사이트 기능을 제공하고, 사용자의 기본 설정을 기억하고, 관련 광고를 비롯한 관련 콘텐츠를 표시합니다. 필수가 아닌 모든 쿠키를 수락하거나 거부하려면 ‘수락’ 또는 ‘거부’를 클릭하세요. 더 자세한 내용을 선택하려면 ‘사용자 정의’를 클릭하세요.

Authenticating Requests: Using the Authorization Header (AWS Signature Version 4) - Amazon Simple Storage Service
이 페이지는 귀하의 언어로 번역되지 않았습니다. 번역 요청

Authenticating Requests: Using the Authorization Header (AWS Signature Version 4)

Overview

Using the HTTP Authorization header is the most common method of providing authentication information. Except for POST requests and requests that are signed by using query parameters, all Amazon S3 operations use the Authorization request header to provide authentication information.

The following is an example of the Authorization header value. Line breaks are added to this example for readability:

Authorization: AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request, SignedHeaders=host;range;x-amz-date, Signature=fe5f80f77d5fa3beca038a248ff027d0445342fe2855ddc963176630326f1024

The following table describes the various components of the Authorization header value in the preceding example:

Component Description
AWS4-HMAC-SHA256

The algorithm that was used to calculate the signature. You must provide this value when you use AWS Signature Version 4 for authentication.

The string specifies AWS Signature Version 4 (AWS4) and the signing algorithm (HMAC-SHA256).

Credential

Your access key ID and the scope information, which includes the date, Region, and service that were used to calculate the signature.

This string has the following form:

<your-access-key-id>/<date>/<aws-region>/<aws-service>/aws4_request

Where:

  • <date> value is specified using YYYYMMDD format.

  • <aws-service> value is s3 when sending request to Amazon S3.

SignedHeaders

A semicolon-separated list of request headers that you used to compute Signature. The list includes header names only, and the header names must be in lowercase. For example:

host;range;x-amz-date
Signature The 256-bit signature expressed as 64 lowercase hexadecimal characters. For example:
fe5f80f77d5fa3beca038a248ff027d0445342fe2855ddc963176630326f1024
Note that the signature calculations vary depending on the option you choose to transfer the payload.

The signature calculations vary depending on the method you choose to transfer the request payload. S3 supports the following options:

  • Transfer payload in a single chunk – In this case, you have the following signature calculation options:

    • Signed payload option – You can optionally compute the entire payload checksum and include it in signature calculation. This provides added security but you need to read your payload twice or buffer it in memory.

      For example, in order to upload a file, you need to read the file first to compute a payload hash for signature calculation and again for transmission when you create the request. For smaller payloads, this approach might be preferable. However, for large files, reading the file twice can be inefficient, so you might want to upload data in chunks instead.

      We recommend you include payload checksum for added security.

    • Unsigned payload option – Do not include payload checksum in signature calculation.

    For step-by-step instructions to calculate signature and construct the Authorization header value, see Signature Calculations for the Authorization Header: Transferring Payload in a Single Chunk (AWS Signature Version 4).

  • Transfer payload in multiple chunks (chunked upload) – In this case you transfer payload in chunks. You can transfer a payload in chunks regardless of the payload size.

    You can break up your payload into chunks. These can be fixed or variable-size chunks. By uploading data in chunks, you avoid reading the entire payload to calculate the signature. Instead, for the first chunk, you calculate a seed signature that uses only the request headers. The second chunk contains the signature for the first chunk, and each subsequent chunk contains the signature for the chunk that precedes it. At the end of the upload, you send a final chunk with 0 bytes of data that contains the signature of the last chunk of the payload. For more information, see Signature Calculations for the Authorization Header: Transferring Payload in Multiple Chunks (Chunked Upload) (AWS Signature Version 4).

When signing your requests, you can use either AWS Signature Version 4 or AWS Signature Version 4A. The key difference between the two is determined by how the signature is calculated. With AWS Signature Version 4A, the signature does not include Region-specific information and is calculated using the AWS4-ECDSA-P256-SHA256 algorithm.

In addition to these options, you have the option of including a trailer with your request. In order to include a trailer with your request, you need to specify that in the header by setting x-amz-content-sha256 to the appropriate value. If you are using a trailing header, you must include x-amz-trailer in the header and specify the trailing header names as a string in a comma-separated list. All trailing headers are written after the final chunk. If you're uploading the data in multiple chunks, you must send a final chunk with 0 bytes of data before sending the trailing header.

When you send a request, you must tell Amazon S3 which of the preceding options you have chosen in your signature calculation, by adding the x-amz-content-sha256 header with one of the following values:

Header value Description

Actual payload checksum value

This value is the actual checksum of your object and is only possible when you are uploading the data in a single chunk.

UNSIGNED-PAYLOAD

Use this when you are uploading the object as a single unsigned chunk.

STREAMING-UNSIGNED-PAYLOAD-TRAILER

Use this when sending an unsigned payload over multiple chunks. In this case you also have a trailing header after the chunk is uploaded.

STREAMING-AWS4-HMAC-SHA256-PAYLOAD

Use this when sending a payload over multiple chunks, and the chunks are signed using AWS4-HMAC-SHA256. This produces a SigV4 signature.

STREAMING-AWS4-HMAC-SHA256-PAYLOAD-TRAILER

Use this when sending a payload over multiple chunks, and the chunks are signed using AWS4-HMAC-SHA256. This produces a SigV4 signature. In addition, the digest for the chunks is included as a trailing header.

STREAMING-AWS4-ECDSA-P256-SHA256-PAYLOAD

Use this when sending a payload over multiple chunks, and the chunks are signed using AWS4-ECDSA-P256-SHA256. This produces a SigV4A signature.

STREAMING-AWS4-ECDSA-P256-SHA256-PAYLOAD-TRAILER

Use this when sending a payload over multiple chunks, and the chunks are signed using AWS4-ECDSA-P256-SHA256. This produces a SigV4A signature. In addition, the digest for the chunks is included as a trailing header.

Upon receiving the request, Amazon S3 re-creates the string to sign using information in the Authorization header and the date header. It then verifies with authentication service the signatures match. The request date can be specified by using either the HTTP Date or the x-amz-date header. If both headers are present, x-amz-date takes precedence.

If the signatures match, Amazon S3 processes your request; otherwise, your request will fail.

For more information, see the following topics:

Signature Calculations for the Authorization Header: Transferring Payload in a Single Chunk (AWS Signature Version 4)

Signature Calculations for the Authorization Header: Transferring Payload in Multiple Chunks (Chunked Upload) (AWS Signature Version 4)

Signature calculations for trailing headers (chunked uploads) (AWS Signature Version 4)

프라이버시사이트 이용 약관쿠키 기본 설정
© 2025, Amazon Web Services, Inc. 또는 계열사. All rights reserved.