Contact UsTry it for free
© 2026 Direct Cursus Technology L.L.C.

Signing requests

Written by
Updated at February 10, 2026

Warning

Requests have to be signed only if using static access key authentication. If IAM token authentication is used, you do not have to sign requests.

Many requests to Object Storage require authentication on the service side, so the user sending a request must sign it.

Object Storage supports the AWS Signature V4.

The signing process includes the following stages:

  1. Generating a string to sign.
  2. Generating a signing key.
  3. Signing the string with the key.

Use HMAC with the SHA256 hash function to sign. Many programming languages support relevant methods. The examples assume that there is a sign(KEY, STRING) function that encodes the input string with the specified key.

Generate a string to sign

The string to sign (StringToSign) depends on the Object Storage use case:

Generate a signing key

To generate a signing key, you need static access keys for Object Storage. To learn how to get them, see Getting started.

To generate a signing key:

  1. Use the secret key to encode the date:

    DateKey = sign("AWS4" + "SecretKey", "yyyymmdd")

  2. Encode the region using DateKey you got in the previous step:

    RegionKey = sign(DateKey, "ru-central1")

  3. Encode the service using RegionKey you got in the previous step:

    ServiceKey = sign(RegionKey, "s3")

  4. Get the signing key:

    SigningKey = sign(ServiceKey, "aws4_request")

Sign the string with the key

To get a string signature, use HMAC with the SHA256 hash function and convert the result to hexadecimal format.

signature = Hex(sign(SigningKey, StringToSign))

Debugging using the AWS CLI

To debug the process of generating a canonical request, signature string, and signing key, use the AWS CLI utility with the --debug parameter.

Note

Make sure that the service account you are using to run aws commands has the permissions required to perform the requested actions. For example, to create a bucket, assign the storage.editor role for the folder to the service account. For more information, see Access management methods in Object Storage: Overview.

In the terminal, run the bucket creation command and see how request parameters are generated:

aws s3api create-bucket \
  --endpoint-url=https://storage.yandexcloud.net \
  --bucket <bucket_name> \
  --debug

Result:

2024-06-03 13:02:36,238 - MainThread - botocore.auth - DEBUG - CanonicalRequest:
PUT
/<bucket_name>

host:storage.yandexcloud.net
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b********
x-amz-date:20240603T100236Z

host;x-amz-content-sha256;x-amz-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b********

2024-06-03 13:02:36,238 - MainThread - botocore.auth - DEBUG - StringToSign:
AWS4-HMAC-SHA256
20240603T100236Z
20240603/ru-central1/s3/aws4_request
7877a13bafaa45f9751e7f345b64a63acc6de279ff927736e906d7c5********

2024-06-03 13:02:36,238 - MainThread - botocore.auth - DEBUG - Signature:
90545034742d1e057c8eeb2cca3c23a38a3ced5ef847f61ac80cb8e1********

See also

Previous
How to use the API
Next
Getting started with the S3 API