Authentication scheme - Amazon SDKs and Tools
Support by Amazon SDKs and tools
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Authentication scheme

Note

For help in understanding the layout of settings pages, or in interpreting the Support by Amazon SDKs and tools table that follows, see Understanding the settings pages of this guide.

Amazon services support multiple authentication schemes, such as Amazon Signature Version 4 (SigV4) and Amazon Signature Version 4a (SigV4a). By default, SDKs select authentication schemes based on service model definitions and prioritize schemes that provide the best compatibility. However, you can configure your preferred authentication scheme to optimize for specific requirements.

Unlike SigV4, requests signed with SigV4a are valid in multiple Amazon Web Services Regions. SigV4a provides enhanced availability through cross-region request signing, which enables automatic failover to backup regions during regional disruptions. This is particularly beneficial for global services like Amazon Identity and Access Management or Amazon CloudFront.

For more information on these two authentication schemes, see Amazon Signature Version 4 for API requests in the IAM User Guide.

Configure this functionality by using the following:

auth_scheme_preference - shared Amazon config file setting
AWS_AUTH_SCHEME_PREFERENCE - environment variable
aws.authSchemePreference - JVM system property: Java/Kotlin only

Specifies a comma-separated list of preferred authentication schemes in priority order. When a service supports multiple authentication schemes, the SDK attempts to use schemes from this list in the specified order, falling back to default behavior if none of the preferred schemes are available.

Default value: None.

Valid values: A comma-separated list of one or more of the following:

  • sigv4 – Signature Version 4 (fastest performance, single-region)

  • sigv4a – Signature Version 4a (enhanced availability, cross-region support, has a slower signing performance than SigV4)

  • httpBearerAuth – HTTP Bearer token authentication

Space and tab characters between scheme names are ignored.

Example of setting this value in the config file to prefer SigV4a:

[default]
auth_scheme_preference=sigv4a,sigv4
sigv4a_signing_region_set - shared Amazon config file setting
AWS_SIGV4A_SIGNING_REGION_SET - environment variable

Specifies comma-separated list of Amazon Web Services Regions for SigV4a multi-region signing. This is used as the default Region set for the request if SigV4a is the selected authentication scheme.

Default value: Determined by the request.

Valid values: Comma-separated list of Amazon Web Services Regions. Space and tab characters between Regions are ignored.

Support by Amazon SDKs and tools

The following SDKs support the features and settings described in this topic. Any partial exceptions are noted. Any JVM system property settings are supported by the Amazon SDK for Java and the Amazon SDK for Kotlin only.

SDK Supported Notes or more information
Amazon CLI v2 Yes
SDK for C++ No
SDK for Go V2 (1.x) Yes
SDK for Go 1.x (V1) No
SDK for Java 2.x Yes
SDK for Java 1.x No
SDK for JavaScript 3.x Yes
SDK for JavaScript 2.x No
SDK for Kotlin Yes
SDK for .NET 4.x No
SDK for .NET 3.x No
SDK for PHP 3.x Yes
SDK for Python (Boto3) Yes
SDK for Ruby 3.x Yes
SDK for Rust Yes
SDK for Swift Yes
Tools for PowerShell V5 No
Tools for PowerShell V4 No