Authentication

Amazon Simple Storage Service: 2006-03-01

previous page next page

Authentication

When you create an AWS account, AWS assigns your AWS access key identifiers, a pair of related credentials:

Access Key ID (a 20-character, alphanumeric string). For example: 022QF06E7MXBSH9DHM02
Secret Access Key (a 40-character string). For example: kWcrlUX5JEDGM/LtmEENI/aVmYvHNif5zB+d9+ct

	Important
Your Secret Access Key is a secret and should be known only by you and AWS. It is important to keep it confidential to protect your account. Never include it in your requests to AWS and never e-mail it to anyone. Do not share it outside your organization, even if an inquiry appears to come from AWS or Amazon.com. No one who legitimately represents Amazon will ever ask you for your Secret Access Key.

Important

Your Secret Access Key is a secret and should be known only by you and AWS. It is important to keep it confidential to protect your account. Never include it in your requests to AWS and never e-mail it to anyone. Do not share it outside your organization, even if an inquiry appears to come from AWS or Amazon.com. No one who legitimately represents Amazon will ever ask you for your Secret Access Key.

The Access Key ID uniquely identifies an AWS account. You include it in AWS service requests to identify yourself as the sender of the request.

To prove that you are the owner of the account making the request, you must include a signature. For all requests, you calculate the signature with your Secret Access Key. AWS uses the Access Key ID in the request to look up your Secret Access Key and then calculates a signature with the key. If the calculated signature matches the signature you sent, the request is considered authentic. Otherwise, the request fails authentication and is not processed.

Viewing Your Credentials

Your Access Key ID and Secret Access Key are displayed when you create your AWS account. They are not e-mailed to you. If you need to see them again, you can view them at any time from your AWS account.

To view your AWS access identifiers

Go to the Amazon Web Services web site at http://aws.amazon.com.
Point to Your Web Services Account to display a list of options.
Click View Access Key Identifiers and log in to your AWS account.

Your Access Key ID and Secret Access Key are displayed on the resulting AWS Access Identifiers page.

Using HMAC-SHA1 Signatures

When accessing Amazon S3 using REST and SOAP, you must provide the following items so the request can be authenticated:

Request Elements

AWS Access Key Id—Your AWS account is identified by your Access Key ID, which AWS uses to look up your Secret Access Key.
Signature—Each request must contain a valid request signature, or the request is rejected.

A request signature is calculated using your Secret Access Key, which is a shared secret known only to you and AWS.
Time stamp—Each request must contain the date and time the request was created, represented as a string in UTC.

The format of the value of this parameter is API-specific.
Date—Each request must contain the time stamp of the request.

Depending on the API you're using, you can provide an expiration date and time for the request instead of or in addition to the time stamp. See the authentication topic for the particular API to determine what the API requires.

Following are the general steps for authenticating requests to AWS. It is assumed you have already created an AWS account and received an Access Key ID and Secret Access Key.

1	Construct a request to AWS.
2	Calculate a keyed-hash message authentication code (HMAC) signature using your Secret Access Key.
3	Include the signature and your Access Key ID in the request, and then send the request to AWS. AWS performs the next three steps.

4	AWS uses the Access Key ID to look up your Secret Access Key.
5	AWS generates a signature from the request data and the Secret Access Key using the same algorithm you used to calculate the signature you sent in the request.
6	If the signature generated by AWS matches the one you sent in the request, the request is considered authentic. If the comparison fails, the request is discarded, and AWS returns an error response.

Detailed Authentication Information

For detailed information about REST and SOAP authentication, see Authenticating REST Requests and Authenticating SOAP Requests.

Using Base64 Encoding

HMAC request signatures must be Base64 encoded. Base64 encoding converts the signature into a simple ASCII string that can be attached to the request. Two characters, plus (+) and forward slash (/), cannot be used directly and must be encoded if used in a URI. For example, if the authentication code includes a plus (+) sign, encode it as %2B; in the request. Encode a forward slash as %2F;.

For examples of Base64 encoding, refer to the Amazon S3 code samples.

previous page start next page