Authenticating Requests: Browser-Based Uploads Using POST (Amazon Signature Version 4) - Amazon Simple Storage Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Authenticating Requests: Browser-Based Uploads Using POST (Amazon Signature Version 4)

Amazon S3 supports HTTP POST requests so that users can upload content directly to Amazon S3. Using HTTP POST to upload content simplifies uploads and reduces upload latency where users upload data to store in Amazon S3. This section describes how you authenticate HTTP POST requests. For more information about HTTP POST requests, how to create a form, create a POST policy, and an example, see Browser-Based Uploads Using POST (Amazon Signature Version 4).

To authenticate an HTTP POST request you do the following:

  1. The form must include the following fields to provide signature and relevant information that Amazon S3 can use to re-calculate the signature upon receiving the request:

    Element Name Description
    policy

    The Base64-encoded security policy that describes what is permitted in the request. For signature calculation this policy is the string you sign. Amazon S3 must get this policy so it can re-calculate the signature.

    x-amz-algorithm

    The signing algorithm used. For Amazon Signature Version 4, the value is AWS4-HMAC-SHA256.

    x-amz-credential

    In addition to your access key ID, this provides scope information you used in calculating the signing key for signature calculation.

    It is a string of the following form:

    <your-access-key-id>/<date>/<aws-region>/<aws-service>/aws4_request

    For example:

    AKIAIOSFODNN7EXAMPLE/20130728/us-east-1/s3/aws4_request. .

    For Amazon S3, the aws-service string is s3. For a list of Amazon S3 aws-region strings, see Regions and Endpoints in the Amazon Web Services General Reference.

    x-amz-date

    It is the date value in ISO8601 format. For example, 20130728T000000Z.

    It is the same date you used in creating the signing key. This must also be the same value you provide in the policy (x-amz-date) that you signed.

    x-amz-signature

    (Amazon Signature Version 4) The HMAC-SHA256 hash of the security policy.

    For more information on options for the signature, see Add the signature to the HTTP request in the Amazon Web Services General Reference.

  2. The POST policy must include the following elements:

    Element Name Description
    x-amz-algorithm

    The signing algorithm that you used to calculation the signature. For Amazon Signature Version 4, the value is AWS4-HMAC-SHA256.

    x-amz-credential

    In addition to your access key ID, this provides scope information you used in calculating the signing key for signature calculation.

    It is a string of the following form:

    <your-access-key-id>/<date>/<aws-region>/<aws-service>/aws4_request

    For example,

    AKIAIOSFODNN7EXAMPLE/20130728/us-east-1/s3/aws4_request. .

    x-amz-date

    The date value specified in the ISO8601 formatted string. For example, "20130728T000000Z". The date must be the same that you used in creating the signing key for signature calculation.

  3. For signature calculation the POST policy is the string to sign.

Calculating a Signature

The following diagram illustrates the signature calculation process.

Diagram showing Amazon signature calculation process with StringToSign, SigningKey, and Signature steps.

To Calculate a signature
  1. Create a policy using UTF-8 encoding.

  2. Convert the UTF-8-encoded policy to Base64. The result is the string to sign.

  3. Create the signature as an HMAC-SHA256 hash of the string to sign. You will provide the signing key as key to the hash function.

  4. Encode the signature by using hex encoding.

For more information about creating HTML forms, security policies, and an example, see the following subtopics: