Authentication methods
Important
Unless you are using the AWS SDKs or CLI, you must write code to calculate signatures that provide authentication information in your requests. Signature calculation in AWS Signature Version 4 can be a complex undertaking, and we recommend that you use the AWS SDKs or CLI whenever possible.
You can express authentication information by using one of the following methods.
HTTP authorization header
The HTTP Authorization header is the most common method of authenticating
a request. All REST API operations (except for browser-based uploads using
POST requests) require this header.
The following examples show the Authorization header value for SigV4 and
SigV4a. Line breaks are added to this example for readability. In your code, the header
must be a continuous string. There is no comma between the algorithm and Credential, but
the other elements must be separated by commas.
Example SigV4
Authorization: AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request, SignedHeaders=host;range;x-amz-date, Signature=fe5f80f77d5fa3beca038a248ff027d0445342fe2855ddc963176630326f1024
Example SigV4a
Authorization: AWS4-ECDSA-P256-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20130524/s3/aws4_request, SignedHeaders=host;range;x-amz-date;x-amz-region-set, Signature=fe5f80f77d5fa3beca038a248ff027d0445342fe2855ddc963176630326f1024
The following table describes the various components of the Authorization header value in the preceding example:
| Component | Description |
|---|---|
|
Authorization |
The algorithm that was used to calculate the signature.
|
|
Credential |
Your access key ID and the scope information.
The <date> value is specified using YYYYMMDD format. <aws-service> value is S3 when sending request to Amazon S3. |
|
SignedHeaders |
A semicolon-separated list of request headers that you used to
compute Signature. The list includes header names only, and the
header names must be in lowercase. For example:
For SigV4a, you must include a region set header that specifies the set of regions the request will be valid in. The header X-Amz-Region-Set is specified as a list of comma separated values. |
|
Signature |
The 256-bit signature expressed as 64 lowercase hexadecimal
characters. For
example: Note that the signature calculations vary depending on the option you choose to transfer the payload. |
Query string parameters
You can use a query string to express a request entirely in a URL. In this case, you use query parameters to provide request information, including the authentication information. Because the request signature is part of the URL, this type of URL is often referred to as a presigned URL. You can use presigned URLs to embed clickable links in HTML, which can be valid for up to seven days. For more information, see Authenticating Requests: Using Query Parameters (AWS Signature Version 4) in the Amazon S3 API Reference.
The following examples show presigned URLs for SigV4 and SigV4a. Line breaks are added to this example for readability:
Example SigV4
https://s3.amazonaws.com/amzn-s3-demo-bucket/test.txt ? X-Amz-Algorithm=AWS4-HMAC-SHA256 & X-Amz-Credential=<your-access-key-id>/20130721/<region>/s3/aws4_request & X-Amz-Date=20130721T201207Z & X-Amz-Expires=86400 & X-Amz-SignedHeaders=host &X-Amz-Signature=<signature-value>
Example SigV4a
http://s3.amazonaws.com/amzn-s3-demo-bucket/test.txt ? X-Amz-Algorithm=AWS4-ECDSA-P256-SHA256 & X-Amz-Credential=<your-access-key-id>/20240721/s3/aws4_request & X-amz-Region-Set=<regionset> & X-Amz-Date=20240721T201207Z & X-Amz-Expires=86400 & X-Amz-SignedHeaders=host;x-amz-region-set & X-Amz-Signature=<signature-value>
Note
The X-Amz-Credential value in the URL shows the "/" character only
for readability. In practice, it should be encoded as %2F. For example:
&X-Amz-Credential=<your-access-key-id>%2F20130721%2Fus-east-1%2Fs3%2Faws4_request
The following table describes the query parameters in the URL that provide authentication information.
| Query string parameter name | Description |
|---|---|
|
X-Amz-Algorithm |
The version of AWS signature and the algorithm that you used to calculate the signature.
|
|
X-Amz-Credential |
In addition to your access key ID, this parameter also provides scope for which the signature is valid. This value must match the scope you use in signature calculations, discussed in the following section.
For a list of AWS regional strings, see Regional Endpoints in the AWS General Reference. |
|
X-Amz-Region-Set |
The set of regions the request will be valid in. The header x-amz-region-set is specified as a list of comma separated values. |
|
X-Amz-Date |
The date and time format must follow the ISO 8601 standard, and
must be formatted with the |
|
X-Amz-Expires |
Provides the time period, in seconds, for which the generated presigned URL is valid. For example, 86400 (24 hours). This value is an integer. The minimum value you can set is 1, and the maximum is 604800 (seven days).A presigned URL can be valid for a maximum of seven days because the signing key you use in signature calculation is valid for up to seven days. |
|
X-Amz-SignedHeaders |
Lists the headers that you used to calculate the signature. The following headers are required in the signature calculations:
For added security, you should sign all the request headers that you plan to include in your request. |
|
X-Amz-Signature |
Provides the signature to authenticate your request. This
signature must match the signature the service calculates;
otherwise, the service denies the request. For example,
Signature calculations are described in the following section. |
|
X-Amz-Security-Token |
Optional credential parameter if using credentials sourced from the STS service. |
