amazon V4鑑權

原文鏈接：http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html

Signature Version 4 Signing Process

The signature version 4 signing specification describes how to add authentication information to AWS requests—that is, how to sign AWS requests. As a security measure, most requests to AWS must be signed using an access key (access key ID and secret access key). If you use the AWS Command Line Interface (CLI) or one of the AWS SDKs, those tools all automatically sign requests for you, based on credentials that you specify when you configure the tools. But if you make direct HTTP or HTTPS calls to AWS, you must sign the requests yourself, using the procedure described here.

To sign a request, you calculate a signature that's based on a combination of information in the request (such as the AWS service, region, action, and time stamp) and your AWS access key. After you calculate the signature, you add it to the request as a parameter, either in the header of the request or as a query-string parameter.

When AWS receives the request, it performs the same steps that you did in order to calculate the signature. AWS then compares the signature that it calculates against the one that you send in the request. If the signatures match, the request is processed; if the signatures don't match, the request is denied.

Important

The AWS SDKs support signature version 4. If you are using one of the SDKs, you do not need to follow this process to manually complete the signing process. For more information about how to download and use the AWS SDKs, go to the Tools for Amazon Web Services page.

To get started with the signing process, see Signing AWS Requests By Using Signature Version 4.

To see sample signed requests, see Examples of the Complete Version 4 Signing Process (Python).

If you have questions about Signature Version 4 that are not answered in this guide, please post your question in the AWS Identity and Access Management discussion forum.

Signing AWS Requests By Using Signature Version 4

What Signing Looks Like in a Request

To give you an idea of what the process accomplishes, consider the following example of what a request might look like as it is sent from your browser to AWS, without any signing information.

POST https://iam.amazonaws.com/ HTTP/1.1
host: iam.amazonaws.com
Content-type: application/x-www-form-urlencoded; charset=utf-8
x-amz-date: 20110909T233600Z

Action=ListUsers&Version=2010-05-08

After you've completed the signing tasks, you add the resulting authentication information to the request. One option is to add it to the request using anAuthorization header. (Although the header is named Authorization, the signing information is actually used for authentication—establishing who the request came from.) The Authorization header includes information about the algorithm you used for signing (SHA256), the credential scope (with your access key), the list of signed headers, and the calculated signature.

The following example shows what the previous request might look like after you've created the signing information and added it to the request in the Authorizationheader.

POST https://iam.amazonaws.com/ HTTP/1.1
Authorization: AWS4-HMAC-SHA256 Credential=AKIDEXAMPLE/20110909/us-east-1/iam/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=ced6826de92d2bdeed8f846f0bf508e8559e98e4b0199114b84c54174deb456c
host: iam.amazonaws.com
Content-type: application/x-www-form-urlencoded; charset=utf-8
x-amz-date: 20110909T233600Z

Action=ListUsers&Version=2010-05-08

As an alternative to adding authentication information to a request header, you can include it in the query string. In that case, the query string includes everything that's part of the request, including the name and parameters for the action, the date, and the authentication information. In effect, this creates a pre-signed URL.

The following example shows how you might construct a GET request by including the action and authentication information in the query string.

GET https://iam.amazonaws.com/?Action=ListUsers&Version=2010-05-08&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIDEXAMPLE/20110909/us-east-1/iam/aws4_request&X-Amz-Date=20110909T233600Z&X-Amz-SignedHeaders=content-type;host&X-Amz-Signature=525d1a96c69b5549dd78dbbec8efe264102288b83ba87b7d58d4b76b71f59fd2 HTTP/1.1
Content-type: application/json
host: iam.amazonaws.com

Note

When we show API examples in the AWS documentation, we often omit the details of the authentication information to make it easier to focus on the portions of the example that is relevant to the particular operation. In those cases, we include the placeholder AUTHPARAMS to show where the authentication information goes in a request.

GET and POST Requests in the Query API

The query API that many AWS services support lets you make requests using either HTTP GET or POST. (In the query API, you can use GET even if you're making requests that change state; that is, the query API is not inherently RESTful.) Because GET requests pass parameters on the query string, they are limited to the maximum length of a URL. Therefore, if a request includes a large payload—for example, if you are uploading a large IAM policy or parameters in JSON format for a DynamoDB request—you generally use a POST request. The signing process is the same for both types of requests, although there are slight differences if you're making a GET request and you're also including the authentication information in the query string.

Summary of Signing Steps

To create a signed request, you do the following:

• Task 1: Create A Canonical Request

  You arrange the contents of your request (endpoint, action, headers, etc.) into a standard, or canonical, format. You then create a hash (digest) of the canonical request, add it to the canonical request, and then create a digest of the updated canonical request.

• Task 2: Create a String to Sign

  Using content from the request (the algorithm, request, date, credential scope, and the digest of the canonical request), you create a string to sign.

• Task 3:Create a Signature

  You derive a signing key by performing a succession of recursive keyed hash operations (HMAC operations) on the request date, region, service, and signing value, using an AWS secret access key as the key for the hashing operation. After you have derived the signing key, you then calculate the signature by performing a keyed hash operation on the string to sign, using the derived key as the hash key. Finally, you add the signature to the header or to the query string of the request.

Note

The AWS SDKs offer functions to generate version 4 request signatures. The SDKs handle the signature calculation process for you so that you do not have to manually complete the signing process. For more information about how to download and use the AWS SDKs, go to Sample Code & Libraries.

The pages that follow walk you through each of these steps. We also provide the following code examples that illustrate aspects of the signing process:

• Examples of How to Derive a Version 4 Signing Key. This page shows how to perform the step of deriving a signing key using Java, C#, Python, Ruby, and JavaScript.

• Examples of the Complete Version 4 Signing Process (Python). This set of programs in Python provide complete, runnable examples of the signing process, showing how to use signing with a POST request, with a GET request that puts signing information in a request header, and with a GET request that puts signing information in the query string.

• Signature Version 4 Test Suite. This downloadable package contains a collection of examples that include signature information for various steps in the process of signing a request. You can use these examples to verify that the signing process that you are coding is producing the correct results at each step of the process.