You can add the signature to your API request after you calculate it in Calculating a Signature.

You can include the signature either in the HTTP Authorization header or as a parameter in the query string, but not in both at the same time.

You do not need to do this procedure if you use AWS CLI or an SDK for your API request.

The following procedures are available:

Before you begin: Complete the Calculating a Signature procedure.

Adding the signature to the Authorization header

  • To build the Authorization header, refer to the following pseudocode:

    Example of Authorization header
    Authorization: algorithm Credential=access key ID/credential scope, SignedHeaders=SignedHeaders, Signature=signature
    • Do not insert any comma between the algorithm and Credential. However, separate the following values with commas.
    • The value of Credential is the ID of the access key, followed by a slash (/), followed by the credential information calculated in Creating a String to Sign. The secret key is used to create the signing key that you need for the signature, but it is not part of the signature information included in the request.

    The HTTP Authorization header is created and contains the signature.

    Example of Authorization header
    Authorization: AWS4-HMAC-SHA256 Credential=ACCESSKEYID/20180915/eu-west-2/ec2/aws4_request, SignedHeaders=content-type;host;x-amz-date, Signature=8522c3bcf28f7c39dd7667ccf86a8d31718ca04d56d39d48649119d48021f567

Adding the signature to the query string

  • To build a query string with all the parameters of the request and the calculated signature, refer to the following pseudocode:

    Example of query string
    querystring = Action=action
    querystring += &X-Amz-Algorithm=algorithm
    querystring += &X-Amz-Credential= urlencode(access_key_ID + '/' + credential_scope)
    querystring += &X-Amz-Date=date
    querystring += &X-Amz-Expires=timeout interval
    querystring += &X-Amz-SignedHeaders=signed_headers
    querystring += &X-Amz-Signature=signature 

    All the values of the query string, except for the signature, are included in the canonical query string which is part of the canonical request you created in Creating a Canonical Request.

    If you create a request in which all the parameters are included in the query string, the resulting URL represents an action that is already authenticated. Therefore, you must treat this URL with as much caution as you would for your actual credentials. We recommend specifying a short expiration time for the request with the X-Amz-Expires parameter.

    The query string contains all the parameters of the request and the signature.

    Example of query string with the signature

AWS™ and Amazon Web Services™ are trademarks of Amazon Technologies, Inc or its affiliates in the United States and/or other countries.