Contact UsGet started

Signing requests

Written by
Updated at October 28, 2024

Many requests to Object Storage require authentication on the service side, so the user sending a request must sign it.

Object Storage supports AWS Signature V4.

The signing process consists of the following stages:

  1. Generating a string to sign.
  2. Generating a signing key.
  3. Signing a string with a key.

Use HMAC with the SHA256 hash function to sign. Many programming languages support relevant methods. The examples assume the existence of the sign(KEY, STRING) function that encodes the input string with the specified key.

Generate a string to sign

The string to sign (StringToSign) depends on the Object Storage usage scenario:

Generating a signing key

To generate a signing key, you need static access keys for Object Storage. To learn how to get them, see Getting started.

To generate a signing key:

  1. Use the secret key to encode the date:

    DateKey = sign("AWS4" + "SecretKey", "yyyymmdd")

  2. Encode the region using the DateKey you got in the previous step:

    RegionKey = sign(DateKey, "ru-central1")

  3. Encode the service using the RegionKey you got in the previous step:

    ServiceKey = sign(RegionKey, "s3")

  4. Get the signing key:

    SigningKey = sign(ServiceKey, "aws4_request")

Sign a string with a key

To get a string signature, use HMAC with the SHA256 hash function and convert the result to hexadecimal format.

signature = Hex(sign(SigningKey, StringToSign))

Debugging using the AWS CLI

To debug the process of generating a сanonical request, signature string, and signing key, use the AWS CLI utility with the --debug parameter.

Note

Make sure that the service account you are using to run aws commands has the permissions required to perform the requested actions. For example, to create a bucket, assign the storage.editor role for the folder to the service account. For more information, see Access management methods in Object Storage: Overview.

In the terminal, run the bucket creation command and see how request parameters are generated:

aws s3api create-bucket \
  --endpoint-url=https://storage.yandexcloud.net \
  --bucket <bucket_name> \
  --debug

Result:

2024-06-03 13:02:36,238 - MainThread - botocore.auth - DEBUG - CanonicalRequest:
PUT
/<bucket_name>

host:storage.yandexcloud.net
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b********
x-amz-date:20240603T100236Z

host;x-amz-content-sha256;x-amz-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b********

2024-06-03 13:02:36,238 - MainThread - botocore.auth - DEBUG - StringToSign:
AWS4-HMAC-SHA256
20240603T100236Z
20240603/ru-central1/s3/aws4_request
7877a13bafaa45f9751e7f345b64a63acc6de279ff927736e906d7c5********

2024-06-03 13:02:36,238 - MainThread - botocore.auth - DEBUG - Signature:
90545034742d1e057c8eeb2cca3c23a38a3ced5ef847f61ac80cb8e1********

See also

Previous
How to use the API
Next
All services and methods