Generating an AWSv4 authentication signature

Reviewed on July 31, 2025

Requests sent to the Object Storage API require an HTTP Authorization header. Scaleway Object Storage supports AWS v4 signature protocol to add an authentication signature to API requests.

When using third-party tools such as aws-cli, s3cmd, s3fs, or MinIO Client, signatures are automatically generated for you.

Before you start

To complete the actions presented below, you must have:

Owner status or IAM permissions allowing you to perform actions in the intended Organization
A valid API key

An AWSv4 authentication signature consists of different parts:

AWS4-HMAC-SHA256: Indicates AWS Signature Version 4 (AWS4) and the signing algorithm (HMAC-SHA256).
Credential: Contains your access key and information about the request in the format: ${ACCESS_KEY}/${YYYMMDD}/${REGION_SLUG}/s3/aws4_request
SignedHeaders: A lower-cased list of the names of the request headers used when computing the signature. (e.g. host;x-amz-acl;x-amz-content-sha256;x-amz-date)
Signature: A signed hash consisting of a hash of the request body, your secret key, and information about the request (i.e., the canonical request). |

The canonical request included in the signature is made up of:

The HTTP request method used.
The path component of the request URI.
The query string parameters included in the request.
The list of request headers and their values, newline separated, lower-cased, and trimmed of whitespace.
The list of header names without their values, sorted alphabetically, lower-cased, and semicolon-separated.
The SHA256 hash of the request body.

This means that the following example:

GET /?acl HTTP/1.1

Host: my-bucket.s3.ams-nl.scw.cloud
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date: 20190411T101653Z

Would be based on the following canonical code:

GET
/
acl=
host:my-bucket.s3.ams-nl.scw.cloud
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date:20190411T101653Z

host;x-amz-content-sha256;x-amz-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Example authorization header

Authorization: AWS4-HMAC-SHA256
Credential=SCWN63TF9BMCPVNARV5A/20190411/nl-ams/s3/aws4_request,
SignedHeaders=host;x-amz-acl;x-amz-content-sha256;x-amz-date,
Signature=6cab03bef74a80a0441ab7fd33c829a2cdb46bba07e82da518cdb78ac238fda5

Signing example (pseudo code)

canonicalRequest = `
${HTTPMethod}\n
${canonicalURI}\n
${canonicalQueryString}\n
${canonicalHeaders}\n
${signedHeaders}\n
${hashedPayload}
`

stringToSign = "AWS4-HMAC-SHA256" + "\n" +
    date(format=ISO08601) + "\n" +
    date(format=YYYYMMDD) + "/" + ${REGION} + "/" + "s3/aws4_request" + "\n" +
    Hex(SHA256Hash(canonicalRequest))

dateKey = HMAC-SHA256("AWS4" + ${SECRET_KEY}, date(format=YYYYMMDD))
dateRegionKey = HMAC-SHA256(dateKey, ${REGION})
dateRegionServiceKey = HMAC-SHA256(dateRegionKey, "s3")
signingKey = HMAC-SHA256(dateRegionServiceKey, "aws4_request")

signature = Hex(HMAC-SHA256(signingKey, stringToSign))

Still need help?

Create a support ticket