Task 3: Calculate the signature for Amazon Signature Version 4 - Amazon General Reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Task 3: Calculate the signature for Amazon Signature Version 4

Before you calculate a signature, you derive a signing key from your Amazon secret access key. Because the derived signing key is specific to the date, service, and Region, it offers a greater degree of protection. You don't just use your secret access key to sign the request. You then use the signing key and the string to sign that you created in Task 2: Create a string to sign for Signature Version 4 as the inputs to a keyed hash function. The hex-encoded result from the keyed hash function is the signature.

Signature Version 4 does not require that you use a particular character encoding to encode the string to sign. However, some Amazon services might require a specific encoding. For more information, consult the documentation for that service.

To calculate a signature

  1. Derive your signing key. To do this, use your secret access key to create a series of hash-based message authentication codes (HMACs). This is shown in the following pseudocode, where HMAC(key, data) represents an HMAC-SHA256 function that returns output in binary format. The result of each hash function becomes input for the next one.

    Pseudocode for deriving a signing key

    kSecret = your secret access key kDate = HMAC("AWS4" + kSecret, Date) kRegion = HMAC(kDate, Region) kService = HMAC(kRegion, Service) kSigning = HMAC(kService, "aws4_request")

    Note that the date used in the hashing process is in the format YYYYMMDD (for example, 20150830), and does not include the time.

    Make sure you specify the HMAC parameters in the correct order for the programming language you are using. This example shows the key as the first parameter and the data (message) as the second parameter, but the function that you use might specify the key and data in a different order.

    Use the digest (binary format) for the key derivation. Most languages have functions to compute either a binary format hash, commonly called a digest, or a hex-encoded hash, called a hexdigest. The key derivation requires that you use a binary-formatted digest.

    The following example show the inputs to derive a signing key and the resulting output, where kSecret = wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY.

    The example uses the same parameters from the request in Task 1 and Task 2 (a request to IAM in the cn-north-1 Region on August 30, 2015).

    Example inputs

    HMAC(HMAC(HMAC(HMAC("AWS4" + kSecret,"20150830"),"cn-north-1"),"iam"),"aws4_request")

    The following example shows the derived signing key that results from this sequence of HMAC hash operations. This shows the hexadecimal representation of each byte in the binary signing key.

    Example signing key

    3fa8337361355535220160ce57f4cb5b8e318209aa7bb03ecdcb9aaeec3d07a2

    For more information about how to derive a signing key in different programming languages, see Examples of how to derive a signing key for Signature Version 4.

  2. Calculate the signature. To do this, use the signing key that you derived and the string to sign as inputs to the keyed hash function. After you calculate the signature, convert the binary value to a hexadecimal representation.

    The following pseudocode shows how to calculate the signature.

    signature = HexEncode(HMAC(derived signing key, string to sign))
    Note

    Make sure you specify the HMAC parameters in the correct order for the programming language you are using. This example shows the key as the first parameter and the data (message) as the second parameter, but the function that you use might specify the key and data in a different order.

    The following example shows the resulting signature if you use the same signing key and the string to sign from Task 2:

    Example signature

    d37af66cc90dc26bb2e27d2a97316b729b82589b5e4648f1ae34cb83a3f546cd