Signature Version 4 signing process - AWS General Reference
AWS services or capabilities described in AWS documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with AWS services in China.

Signature Version 4 signing process

Signature Version 4 is the process to add authentication information to AWS requests sent by HTTP. For security, most requests to AWS must be signed with an access key, which consists of an access key ID and secret access key. These two keys are commonly referred to as your security credentials. For details on how to obtain credentials for your account, see Understanding and getting your AWS credentials.


When you use the AWS Command Line Interface (AWS CLI) or one of the AWS SDKs to make requests to AWS, these tools automatically sign the requests for you with the security credentials you specify when you configure the tools. When you use these tools, you don't need to learn how to sign requests yourself. However, when you manually create HTTP requests to access AWS services, you must sign requests that require signing yourself.

How Signature Version 4 works

  1. Create a canonical request.

  2. Use the canonical request and additional metadata to create a string for signing.

  3. Derive a signing key from your AWS secret access key. Then use the signing key, and the string from the previous step, to create a signature.

  4. Add the resulting signature to the HTTP request in a header or as a query string parameter.

When an AWS service receives the request, it performs the same steps that you did to calculate the signature you sent in your request. AWS then compares its calculated signature to the one you sent with the request. If the signatures match, the request is processed. If the signatures don't match, the request is denied.

For more information, see the following resources: