Contact UsGet started
© 2025 Direct Cursus Technology L.L.C.

Signing requests

Written by
Updated at March 19, 2025

Many requests to Object Storage require authentication on the service side, so the user sending a request must sign it.

Object Storage supports the AWS Signature V4.

The signing process includes the following stages:

  1. Generating a string to sign.
  2. Generating a signing key.
  3. Signing the string with the key.

Use HMAC with the SHA256 hash function to sign. Many programming languages support relevant methods. The examples assume that there is a sign(KEY, STRING) function that encodes the input string with the specified key.

Generate a string to sign

The string to sign (StringToSign) depends on the Object Storage use case:

Generate a signing key

To generate a signing key, you need static access keys for Object Storage. To learn how to get them, see Getting started.

To generate a signing key:

  1. Use the secret key to encode the date:

    DateKey = sign("AWS4" + "SecretKey", "yyyymmdd")

  2. Encode the region using DateKey you got in the previous step:

    RegionKey = sign(DateKey, "ru-central1")

  3. Encode the service using RegionKey you got in the previous step:

    ServiceKey = sign(RegionKey, "s3")

  4. Get the signing key:

    SigningKey = sign(ServiceKey, "aws4_request")

Sign the string with the key

To get a string signature, use HMAC with the SHA256 hash function and convert the result to hexadecimal format.

signature = Hex(sign(SigningKey, StringToSign))

Debugging using the AWS CLI

To debug the process of generating a canonical request, signature string, and signing key, use the AWS CLI utility with the --debug parameter.

Note

Make sure that the service account you are using to run aws commands has the permissions required to perform the requested actions. For example, to create a bucket, assign the storage.editor role for the folder to the service account. For more information, see Access management methods in Object Storage: Overview.

In the terminal, run the bucket creation command and see how request parameters are generated:

aws s3api create-bucket \
  --endpoint-url=https://storage.yandexcloud.net \
  --bucket <bucket_name> \
  --debug

Result:

2024-06-03 13:02:36,238 - MainThread - botocore.auth - DEBUG - CanonicalRequest:
PUT
/<bucket_name>

host:storage.yandexcloud.net
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b********
x-amz-date:20240603T100236Z

host;x-amz-content-sha256;x-amz-date
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b********

2024-06-03 13:02:36,238 - MainThread - botocore.auth - DEBUG - StringToSign:
AWS4-HMAC-SHA256
20240603T100236Z
20240603/ru-central1/s3/aws4_request
7877a13bafaa45f9751e7f345b64a63acc6de279ff927736e906d7c5********

2024-06-03 13:02:36,238 - MainThread - botocore.auth - DEBUG - Signature:
90545034742d1e057c8eeb2cca3c23a38a3ced5ef847f61ac80cb8e1********

See also

Previous
How to use the API
Next
All services and methods