Amazon Web Services
一般参考 (Version 1.0)
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。点 击 Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.

完整版本 4 签名过程的示例 (Python)

本节展示用 Python 编写的示例程序,这些程序阐释如何在 AWS 中使用签名版本 4。我们特意将这些示例程序编写得很简单(仅使用极少 Python 特定功能),便于您更轻松地了解签署 AWS 请求的完整过程。

要使用这些示例程序,您需要:

  • 计算机上安装有 Python 2.x,您可以从 Python 站点获取。这些程序已使用 Python 2.7 测试过。

  • Python 请求,示例脚本使用此库发出 Web 请求。一种方便的 Python 程序包安装方法是使用 pip,它可从 Python 程序包索引站点获取程序包。然后,您可以在命令行上运行 pip install requests 来安装 requests

  • 环境变量中名为 AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEY 的访问密钥(访问密钥 ID 和秘密访问密钥)。或者,您也可以在凭证文件中保存这些值,然后从这些文件中读取。作为最佳实践,我们建议您不要在代码中嵌入凭证。有关详细信息,请参阅 Amazon Web Services 一般参考 中的管理 AWS 访问密钥的最佳实践

注意

以下示例使用 UTF-8 对规范请求和待签字符串进行编码,而签名版本 4 不需要您使用特定字符编码。不过,一些 AWS 服务可能需要特定编码。有关更多信息,请参阅该服务的文档。

结合使用 GET 和 Authorization 标头 (Python)

以下示例说明如何使用 Amazon EC2 查询 API 发出请求。该请求发出 GET 请求,并使用 Authorization 标头将身份验证信息发送到 AWS。

Copy
# AWS Version 4 signing example # EC2 API (DescribeRegions) # See: http://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html # This version makes a GET request and passes the signature # in the Authorization header. import sys, os, base64, datetime, hashlib, hmac import requests # pip install requests # ************* REQUEST VALUES ************* method = 'GET' service = 'ec2' host = 'ec2.amazonaws.com' region = 'us-east-1' endpoint = 'https://ec2.amazonaws.com' request_parameters = 'Action=DescribeRegions&Version=2013-10-15' # Key derivation functions. See: # http://docs.aws.amazon.com/general/latest/gr/signature-v4-examples.html#signature-v4-examples-python def sign(key, msg): return hmac.new(key, msg.encode('utf-8'), hashlib.sha256).digest() def getSignatureKey(key, dateStamp, regionName, serviceName): kDate = sign(('AWS4' + key).encode('utf-8'), dateStamp) kRegion = sign(kDate, regionName) kService = sign(kRegion, serviceName) kSigning = sign(kService, 'aws4_request') return kSigning # Read AWS access key from env. variables or configuration file. Best practice is NOT # to embed credentials in code. access_key = os.environ.get('AWS_ACCESS_KEY_ID') secret_key = os.environ.get('AWS_SECRET_ACCESS_KEY') if access_key is None or secret_key is None: print 'No access key is available.' sys.exit() # Create a date for headers and the credential string t = datetime.datetime.utcnow() amzdate = t.strftime('%Y%m%dT%H%M%SZ') datestamp = t.strftime('%Y%m%d') # Date w/o time, used in credential scope # ************* TASK 1: CREATE A CANONICAL REQUEST ************* # http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html # Step 1 is to define the verb (GET, POST, etc.)--already done. # Step 2: Create canonical URI--the part of the URI from domain to query # string (use '/' if no path) canonical_uri = '/' # Step 3: Create the canonical query string. In this example (a GET request), # request parameters are in the query string. Query string values must # be URL-encoded (space=%20). The parameters must be sorted by name. # For this example, the query string is pre-formatted in the request_parameters variable. canonical_querystring = request_parameters # Step 4: Create the canonical headers and signed headers. Header names # must be trimmed and lowercase, and sorted in code point order from # low to high. Note that there is a trailing \n. canonical_headers = 'host:' + host + '\n' + 'x-amz-date:' + amzdate + '\n' # Step 5: Create the list of signed headers. This lists the headers # in the canonical_headers list, delimited with ";" and in alpha order. # Note: The request can include any headers; canonical_headers and # signed_headers lists those that you want to be included in the # hash of the request. "Host" and "x-amz-date" are always required. signed_headers = 'host;x-amz-date' # Step 6: Create payload hash (hash of the request body content). For GET # requests, the payload is an empty string (""). payload_hash = hashlib.sha256('').hexdigest() # Step 7: Combine elements to create create canonical request canonical_request = method + '\n' + canonical_uri + '\n' + canonical_querystring + '\n' + canonical_headers + '\n' + signed_headers + '\n' + payload_hash # ************* TASK 2: CREATE THE STRING TO SIGN************* # Match the algorithm to the hashing algorithm you use, either SHA-1 or # SHA-256 (recommended) algorithm = 'AWS4-HMAC-SHA256' credential_scope = datestamp + '/' + region + '/' + service + '/' + 'aws4_request' string_to_sign = algorithm + '\n' + amzdate + '\n' + credential_scope + '\n' + hashlib.sha256(canonical_request).hexdigest() # ************* TASK 3: CALCULATE THE SIGNATURE ************* # Create the signing key using the function defined above. signing_key = getSignatureKey(secret_key, datestamp, region, service) # Sign the string_to_sign using the signing_key signature = hmac.new(signing_key, (string_to_sign).encode('utf-8'), hashlib.sha256).hexdigest() # ************* TASK 4: ADD SIGNING INFORMATION TO THE REQUEST ************* # The signing information can be either in a query string value or in # a header named Authorization. This code shows how to use a header. # Create authorization header and add to request headers authorization_header = algorithm + ' ' + 'Credential=' + access_key + '/' + credential_scope + ', ' + 'SignedHeaders=' + signed_headers + ', ' + 'Signature=' + signature # The request can include any headers, but MUST include "host", "x-amz-date", # and (for this scenario) "Authorization". "host" and "x-amz-date" must # be included in the canonical_headers and signed_headers, as noted # earlier. Order here is not significant. # Python note: The 'host' header is added automatically by the Python 'requests' library. headers = {'x-amz-date':amzdate, 'Authorization':authorization_header} # ************* SEND THE REQUEST ************* request_url = endpoint + '?' + canonical_querystring print '\nBEGIN REQUEST++++++++++++++++++++++++++++++++++++' print 'Request URL = ' + request_url r = requests.get(request_url, headers=headers) print '\nRESPONSE++++++++++++++++++++++++++++++++++++' print 'Response code: %d\n' % r.status_code print r.text

使用 POST(Python)

以下示例说明如何使用 Amazon DynamoDB 查询 API 发出请求。该请求发出 POST 请求并在请求正文中将值传递给 AWS。身份验证信息是通过 Authorization 请求标头传递的。

Copy
# AWS Version 4 signing example # DynamoDB API (CreateTable) # See: http://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html # This version makes a POST request and passes request parameters # in the body (payload) of the request. Auth information is passed in # an Authorization header. import sys, os, base64, datetime, hashlib, hmac import requests # pip install requests # ************* REQUEST VALUES ************* method = 'POST' service = 'dynamodb' host = 'dynamodb.us-west-2.amazonaws.com' region = 'us-west-2' endpoint = 'https://dynamodb.us-west-2.amazonaws.com/' # POST requests use a content type header. For DynamoDB, # the content is JSON. content_type = 'application/x-amz-json-1.0' # DynamoDB requires an x-amz-target header that has this format: # DynamoDB_<API version>.<operationName> amz_target = 'DynamoDB_20120810.CreateTable' # Request parameters for CreateTable--passed in a JSON block. request_parameters = '{' request_parameters += '"KeySchema": [{"KeyType": "HASH","AttributeName": "Id"}],' request_parameters += '"TableName": "TestTable","AttributeDefinitions": [{"AttributeName": "Id","AttributeType": "S"}],' request_parameters += '"ProvisionedThroughput": {"WriteCapacityUnits": 5,"ReadCapacityUnits": 5}' request_parameters += '}' # Key derivation functions. See: # http://docs.aws.amazon.com/general/latest/gr/signature-v4-examples.html#signature-v4-examples-python def sign(key, msg): return hmac.new(key, msg.encode("utf-8"), hashlib.sha256).digest() def getSignatureKey(key, date_stamp, regionName, serviceName): kDate = sign(('AWS4' + key).encode('utf-8'), date_stamp) kRegion = sign(kDate, regionName) kService = sign(kRegion, serviceName) kSigning = sign(kService, 'aws4_request') return kSigning # Read AWS access key from env. variables or configuration file. Best practice is NOT # to embed credentials in code. access_key = os.environ.get('AWS_ACCESS_KEY_ID') secret_key = os.environ.get('AWS_SECRET_ACCESS_KEY') if access_key is None or secret_key is None: print 'No access key is available.' sys.exit() # Create a date for headers and the credential string t = datetime.datetime.utcnow() amz_date = t.strftime('%Y%m%dT%H%M%SZ') date_stamp = t.strftime('%Y%m%d') # Date w/o time, used in credential scope # ************* TASK 1: CREATE A CANONICAL REQUEST ************* # http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html # Step 1 is to define the verb (GET, POST, etc.)--already done. # Step 2: Create canonical URI--the part of the URI from domain to query # string (use '/' if no path) canonical_uri = '/' ## Step 3: Create the canonical query string. In this example, request # parameters are passed in the body of the request and the query string # is blank. canonical_querystring = '' # Step 4: Create the canonical headers. Header names must be trimmed # and lowercase, and sorted in code point order from low to high. # Note that there is a trailing \n. canonical_headers = 'content-type:' + content_type + '\n' + 'host:' + host + '\n' + 'x-amz-date:' + amz_date + '\n' + 'x-amz-target:' + amz_target + '\n' # Step 5: Create the list of signed headers. This lists the headers # in the canonical_headers list, delimited with ";" and in alpha order. # Note: The request can include any headers; canonical_headers and # signed_headers include those that you want to be included in the # hash of the request. "Host" and "x-amz-date" are always required. # For DynamoDB, content-type and x-amz-target are also required. signed_headers = 'content-type;host;x-amz-date;x-amz-target' # Step 6: Create payload hash. In this example, the payload (body of # the request) contains the request parameters. payload_hash = hashlib.sha256(request_parameters).hexdigest() # Step 7: Combine elements to create create canonical request canonical_request = method + '\n' + canonical_uri + '\n' + canonical_querystring + '\n' + canonical_headers + '\n' + signed_headers + '\n' + payload_hash # ************* TASK 2: CREATE THE STRING TO SIGN************* # Match the algorithm to the hashing algorithm you use, either SHA-1 or # SHA-256 (recommended) algorithm = 'AWS4-HMAC-SHA256' credential_scope = date_stamp + '/' + region + '/' + service + '/' + 'aws4_request' string_to_sign = algorithm + '\n' + amz_date + '\n' + credential_scope + '\n' + hashlib.sha256(canonical_request).hexdigest() # ************* TASK 3: CALCULATE THE SIGNATURE ************* # Create the signing key using the function defined above. signing_key = getSignatureKey(secret_key, date_stamp, region, service) # Sign the string_to_sign using the signing_key signature = hmac.new(signing_key, (string_to_sign).encode('utf-8'), hashlib.sha256).hexdigest() # ************* TASK 4: ADD SIGNING INFORMATION TO THE REQUEST ************* # Put the signature information in a header named Authorization. authorization_header = algorithm + ' ' + 'Credential=' + access_key + '/' + credential_scope + ', ' + 'SignedHeaders=' + signed_headers + ', ' + 'Signature=' + signature # For DynamoDB, the request can include any headers, but MUST include "host", "x-amz-date", # "x-amz-target", "content-type", and "Authorization". Except for the authorization # header, the headers must be included in the canonical_headers and signed_headers values, as # noted earlier. Order here is not significant. # # Python note: The 'host' header is added automatically by the Python 'requests' library. headers = {'Content-Type':content_type, 'X-Amz-Date':amz_date, 'X-Amz-Target':amz_target, 'Authorization':authorization_header} # ************* SEND THE REQUEST ************* print '\nBEGIN REQUEST++++++++++++++++++++++++++++++++++++' print 'Request URL = ' + endpoint r = requests.post(endpoint, data=request_parameters, headers=headers) print '\nRESPONSE++++++++++++++++++++++++++++++++++++' print 'Response code: %d\n' % r.status_code print r.text

在查询字符串中结合使用 GET 和身份验证信息 (Python)

以下示例说明如何使用 IAM 查询 API 发出请求。该请求发出 GET 请求,并使用查询字符串传递参数和签名信息。

Copy
# AWS Version 4 signing example # IAM API (CreateUser) # See: http://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html # This version makes a GET request and passes request parameters # and authorization information in the query string import sys, os, base64, datetime, hashlib, hmac, urllib import requests # pip install requests # ************* REQUEST VALUES ************* method = 'GET' service = 'iam' host = 'iam.amazonaws.com' region = 'us-east-1' endpoint = 'https://iam.amazonaws.com' # Key derivation functions. See: # http://docs.aws.amazon.com/general/latest/gr/signature-v4-examples.html#signature-v4-examples-python def sign(key, msg): return hmac.new(key, msg.encode('utf-8'), hashlib.sha256).digest() def getSignatureKey(key, dateStamp, regionName, serviceName): kDate = sign(('AWS4' + key).encode('utf-8'), dateStamp) kRegion = sign(kDate, regionName) kService = sign(kRegion, serviceName) kSigning = sign(kService, 'aws4_request') return kSigning # Read AWS access key from env. variables or configuration file. Best practice is NOT # to embed credentials in code. access_key = os.environ.get('AWS_ACCESS_KEY_ID') secret_key = os.environ.get('AWS_SECRET_ACCESS_KEY') if access_key is None or secret_key is None: print 'No access key is available.' sys.exit() # Create a date for headers and the credential string t = datetime.datetime.utcnow() amz_date = t.strftime('%Y%m%dT%H%M%SZ') # Format date as YYYYMMDD'T'HHMMSS'Z' datestamp = t.strftime('%Y%m%d') # Date w/o time, used in credential scope # ************* TASK 1: CREATE A CANONICAL REQUEST ************* # http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html # Because almost all information is being passed in the query string, # the order of these steps is slightly different than examples that # use an authorization header. # Step 1: Define the verb (GET, POST, etc.)--already done. # Step 2: Create canonical URI--the part of the URI from domain to query # string (use '/' if no path) canonical_uri = '/' # Step 3: Create the canonical headers and signed headers. Header names # must be trimmed and lowercase, and sorted in code point order from # low to high. Note trailing \n in canonical_headers. # signed_headers is the list of headers that are being included # as part of the signing process. For requests that use query strings, # only "host" is included in the signed headers. canonical_headers = 'host:' + host + '\n' signed_headers = 'host' # Match the algorithm to the hashing algorithm you use, either SHA-1 or # SHA-256 (recommended) algorithm = 'AWS4-HMAC-SHA256' credential_scope = datestamp + '/' + region + '/' + service + '/' + 'aws4_request' # Step 4: Create the canonical query string. In this example, request # parameters are in the query string. Query string values must # be URL-encoded (space=%20). The parameters must be sorted by name. canonical_querystring = 'Action=CreateUser&UserName=NewUser&Version=2010-05-08' canonical_querystring += '&X-Amz-Algorithm=AWS4-HMAC-SHA256' canonical_querystring += '&X-Amz-Credential=' + urllib.quote_plus(access_key + '/' + credential_scope) canonical_querystring += '&X-Amz-Date=' + amz_date canonical_querystring += '&X-Amz-Expires=30' canonical_querystring += '&X-Amz-SignedHeaders=' + signed_headers # Step 5: Create payload hash. For GET requests, the payload is an # empty string (""). payload_hash = hashlib.sha256('').hexdigest() # Step 6: Combine elements to create create canonical request canonical_request = method + '\n' + canonical_uri + '\n' + canonical_querystring + '\n' + canonical_headers + '\n' + signed_headers + '\n' + payload_hash # ************* TASK 2: CREATE THE STRING TO SIGN************* string_to_sign = algorithm + '\n' + amz_date + '\n' + credential_scope + '\n' + hashlib.sha256(canonical_request).hexdigest() # ************* TASK 3: CALCULATE THE SIGNATURE ************* # Create the signing key signing_key = getSignatureKey(secret_key, datestamp, region, service) # Sign the string_to_sign using the signing_key signature = hmac.new(signing_key, (string_to_sign).encode("utf-8"), hashlib.sha256).hexdigest() # ************* TASK 4: ADD SIGNING INFORMATION TO THE REQUEST ************* # The auth information can be either in a query string # value or in a header named Authorization. This code shows how to put # everything into a query string. canonical_querystring += '&X-Amz-Signature=' + signature # ************* SEND THE REQUEST ************* # The 'host' header is added automatically by the Python 'request' lib. But it # must exist as a header in the request. request_url = endpoint + "?" + canonical_querystring print '\nBEGIN REQUEST++++++++++++++++++++++++++++++++++++' print 'Request URL = ' + request_url r = requests.get(request_url) print '\nRESPONSE++++++++++++++++++++++++++++++++++++' print 'Response code: %d\n' % r.status_code print r.text