S3 API: Authentication

For this example I will use:

access_key = 'AKIAIOSFODNN7EXAMPLE'
secret_key = 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'

First you need to construct your string to sign with this format:

StringToSign =
    HTTP-Verb + "\n" +
    Content-MD5 + "\n" +
    Content-Type + "\n" +
    Date + "\n" +
    CanonicalizedAmzHeaders +
    CanonicalizedResource;

If your request is:

GET /photos/puppy.jpg HTTP/1.1
Host: awsexamplebucket1.us-west-1.s3.amazonaws.com
Date: Tue, 27 Mar 2007 19:36:42 +0000

Generate UTC date in linux:

$ date -uR

Then the string to sign is:

StringToSign =
    GET\n
    \n
    \n
    Tue, 27 Mar 2007 19:36:42 +0000\n
    /awsexamplebucket1/photos/puppy.jpg
StringToSign = "GET\n\n\nTue, 27 Mar 2007 19:36:42 +0000\n/awsexamplebucket1/photos/puppy.jpg"

After that, you need to sign that string with SHA-1 + HMAC with your secret-key and encode the result in Base64.

Signature = Base64( HMAC-SHA1( {secret-key}, {StringToSign} ) );
Signature = "qgk2+6Sv9/oM7G3qLEjTH1a1l1g="

Finally, add “Authorization” header on your request.

Authorization: AWS {access-key}:{hash-of-header-and-secret}
Authorization: AWS AKIAIOSFODNN7EXAMPLE:qgk2+6Sv9/oM7G3qLEjTH1a1l1g=

If everything goes well, you will get a non-error XML response.

Resources:

• Authentication and ACLs — Ceph Documentation
• Signing and authenticating REST requests – Amazon Simple Storage Service
• Hash and HMAC calculator (dinochiesa.github.io)
• GMT Time Now Greenwich Mean Time (utctime.net)