S3 Object Storage - Generate a AWSv4 Authentication Signature

Object Storage - Generate an AWSv4 Authentication Signature

Requests sent to the Object storage API require to include an HTTP Authorization header. Currently the AWS v4 Signature type is supported.

Throughout the Object Storage documentation, v4 signatures are used. When you are using a client library such as aws-cli, s3cmd or s3fs, signatures are automatically generated by the library for you.

To generate the signature, you need to have an Access Key and Secret Key generated in the Credentials section of your management console.

A v4 signature consists of a number of parts. The table below provides more information on each piece of it individually:

AWS4-HMAC-SHA256Indicates AWS Signature Version 4 (AWS4) and the signing algorithm (HMAC-SHA256).
CredentialContains your access key and information about the request in the format: ${ACESS_KEY}/${YYYMMDD}/${REGION_SLUG}/s3/aws4_request
SignedHeadersA lower-cased list of the names of the request headers used when computing the signature. (e.g. host;x-amz-acl;x-amz-content-sha256;x-amz-date)
SignatureA signed hash consisting of a hash of the request body, your secret key, and information about the request (i.e. the canonical request).

The canonical request included in the signature is made up of:

  • The HTTP request method used.
  • The path component of the request URI.
  • The query string parameters included in the request.
  • The list of request headers and their values, newline separated, lower-cased, and trimmed of whitespace.
  • The list of header names without their values, sorted alphabetically, lower-cased, and semicolon-separated.
  • The SHA256 hash of the request body.

This means the following example:

GET /?acl HTTP/1.1

Host: mybucket.s3.ams-nl.scw.cloud
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date: 20190411T101653Z

Would be based on the following canonical code:



Example Authorization Header

Authorization: AWS4-HMAC-SHA256

Signing Example (Pseudo Code)

canonicalRequest = `

stringToSign = "AWS4-HMAC-SHA256" + "\n" +
    date(format=ISO08601) + "\n" +
    date(format=YYYYMMDD) + "/" + ${REGION} + "/" + "s3/aws4_request" + "\n" +

dateKey = HMAC-SHA256("AWS4" + ${SECRET_KEY}, date(format=YYYYMMDD))
dateRegionKey = HMAC-SHA256(dateKey, ${REGION})
dateRegionServiceKey = HMAC-SHA256(dateRegionKey, "s3")
signingKey = HMAC-SHA256(dateRegionServiceKey, "aws4_request")

signature = Hex(HMAC-SHA256(signingKey, stringToSign))

Discover the Cloud That Makes Sense