SOAP without WS-Security

This section describes how to authenticate SOAP requests without using WS-Security. The topics describe the basic requirements, the required authentication information, and where to place the information in the SOAP request.

General Requirements

If you plan to use SOAP without WS-Security:

You can use either SOAP 1.1 or SOAP 1.2
You must use HTTPS with your requests

	Note
	Before API version 2008-01-01, SQS supported only SOAP 1.1.

Required Authentication Information

Authentication of SOAP requests without WS-Security uses your AWS identifiers and an HMAC-SHA1 signature. The request must include the parameters listed in the following table.

Parameter Description

AWSAccessKeyId

Your AWS Access Key ID. For more information, see Your AWS Identifiers.

Timestamp

This must be a dateTime object with the complete date plus hours, minutes, and seconds (for more information, see Request Parameters Common to All Actions and look at the Timestamp parameter, or go to http://www.w3.org/TR/xmlschema-2/#dateTime). Although it is not required, we recommend you provide the time stamp in the Coordinated Universal Time time zone (UTC, also known as Greenwich Mean Time). The request expires 15 minutes after the time stamp.

	Note
	Due to different interpretations regarding how extra time precision should be dropped, .NET users should take care not to send overly specific time stamps. You can do this by manually constructing `dateTime` objects with no more than millisecond precision.

Signature

The HMAC-SHA1 signature calculated from the concatenation of the Action and Timestamp parameters, using your AWS Secret Access Key as the key (for information about authentication with HMAC signatures, see HMAC-SHA Signatures). For example, for a request to create a queue, the value of the Signature element would be the HMAC-SHA1 digest of a string like this: CreateQueue2008-02-10T00:00:00Z

To calculate the signature

Concatenate the values of the Action and Timestamprequest parameters, in that order.
The string you've just created is the string you'll use when generating the signature.
Calculate an RFC 2104-compliant HMAC-SHA1 signature, using the string you just created and your Secret Access Key as the key.
Convert the resulting value to base64.
Pass this final value in the Signature parameter of the SOAP request.

Location of Authentication Information in the Request

With version 2008-01-01, you must provide the authentication information as elements in the SOAP header (using the namespace http://security.amazonaws.com/doc/2007-01-01/), as in the following example.

<?xml version="1.0"?>
<soap:Envelope
   xmlns:soap="http://www.w3.org/2001/12/soap-envelope"
   soap:encodingStyle="http://www.w3.org/2001/12/soap-encoding">

<soap:Header
   xmlns:aws="http://security.amazonaws.com/doc/2007-01-01/">
   <aws:AWSAccessKeyId>1D9FVRAYCP1VJS767E02EXAMPLE</aws:AWSAccessKeyId>
   <aws:Timestamp>2008-02-10T23:59:59Z</aws:Timestamp>
   <aws:Signature>SZf1CHmQnrZbsrC13hCZS061ywsEXAMPLE</aws:Signature>
</soap:Header>
...
</soap:Envelope>