Note
Currently, the AWS v4 signature type is supported.
Requests sent to the Object Storage API require an HTTP Authorization header.
To complete the actions presented below, you must have:
Currently, the AWS v4 signature type is supported.
When using a client library such as aws-cli, s3cmd or s3fs, signatures are automatically generated by the library for you.
To generate the signature, you need to have an access key and secret key generated in the Credentials section of your management console.
A v4 signature consists of different parts:
${ACCESS_KEY}/${YYYMMDD}/${REGION_SLUG}/s3/aws4_request
host;x-amz-acl;x-amz-content-sha256;x-amz-date
)The canonical request included in the signature is made up of:
This means that the following example:
GET /?acl HTTP/1.1Host: my-bucket.s3.ams-nl.scw.cloudx-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855x-amz-date: 20190411T101653Z
Would be based on the following canonical code:
GET/acl=host:my-bucket.s3.ams-nl.scw.cloudx-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855x-amz-date:20190411T101653Zhost;x-amz-content-sha256;x-amz-datee3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Example authorization header
Authorization: AWS4-HMAC-SHA256Credential=SCWN63TF9BMCPVNARV5A/20190411/nl-ams/s3/aws4_request,SignedHeaders=host;x-amz-acl;x-amz-content-sha256;x-amz-date,Signature=6cab03bef74a80a0441ab7fd33c829a2cdb46bba07e82da518cdb78ac238fda5
Signing example (pseudo code)
canonicalRequest = `${HTTPMethod}\n${canonicalURI}\n${canonicalQueryString}\n${canonicalHeaders}\n${signedHeaders}\n${hashedPayload}`stringToSign = "AWS4-HMAC-SHA256" + "\n" +date(format=ISO08601) + "\n" +date(format=YYYYMMDD) + "/" + ${REGION} + "/" + "s3/aws4_request" + "\n" +Hex(SHA256Hash(canonicalRequest))dateKey = HMAC-SHA256("AWS4" + ${SECRET_KEY}, date(format=YYYYMMDD))dateRegionKey = HMAC-SHA256(dateKey, ${REGION})dateRegionServiceKey = HMAC-SHA256(dateRegionKey, "s3")signingKey = HMAC-SHA256(dateRegionServiceKey, "aws4_request")signature = Hex(HMAC-SHA256(signingKey, stringToSign))
Your opinion helps us make a better documentation.