Authenticating REST Requests

If you already know how authentication works for Amazon Simple Storage Service REST requests, then the information in this topic will be familiar to you.

Following are the main differences between how you authenticate CloudFront and Amazon S3 requests:

Authentication is how you prove your identity to the system. You must prove your identity in all your requests to the CloudFront control API. The following sections describe how.

The CloudFront REST API uses a custom HTTP scheme based on a keyed-HMAC (Hash Message Authentication Code) for authentication. The following figure and table describe the basic process for authentication.

	Note
	We also confirm the request time stamp is within 15 minutes of the AWS server time. For more information, see Fetching the Date.

In the first task in the preceding process, you form a string. The string is simply the UTF-8 encoded value of the Date header in the request (e.g., Thu, 19 Nov 2009 19:37:58 GMT). Your request must include either the Date header, the x-amz-date header, or both (if both are present, we ignore the Date header when authenticating the request). You might decide to include the x-amz-date header if your HTTP client doesn't let you set the Date header.

The format you use for the header value must be one of the full date formats specified in RFC 2616 section 3.1.1. For example: Wed, 05 Apr 2006 21:12:00 GMT. For more information, go to the RFC 2616 specification.

Calculating the value to include in the request is a simple procedure.

The following table shows a string, a fake Secret Access Key, and what the resulting base64 encoded signature would be.

To pass the signature to AWS, you include it as part of the standard HTTP Authorization header. You include both the signature and your AWS Access Key ID in the header using the following format.

Authorization: AWS <AWSAccessKeyId>:<Signature>

Note that there is a space after the AWS.

Following is an example REST request with the example signature calculated in the preceding section. The AWS Access Key ID (0PN5J17HBGZHT7JJ3X82) is fake.

POST /2009-12-01/distribution HTTP/1.1
Host: cloudfront.amazonaws.com
Date: Thu, 14 Aug 2008 17:08:48 GMT
Authorization: AWS 0PN5J17HBGZHT7JJ3X82:4cP0hCJsdCxTJ1jPXo7+e/YSu0g=
[Other required headers]

<?xml version="1.0" encoding="UTF-8"?>
<DistributionConfig xmlns="http://cloudfront.amazonaws.com/doc/2009-12-01/">
  <Origin>mybucket.s3.amazonaws.com</Origin>
  <CallerReference>20091130090000</CallerReference>
  <Comment>My comments</Comment>
  <Enabled>true</Enabled>
</DistributionConfig>

If the signature we create based on your request and Secret Access Key doesn't match the signature you sent in the request, we return the following error.

<ErrorResponse xmlns="http://cloudfront.amazonaws.com/doc/2009-12-01/">
   <Error>
      <Type>Sender</Type>
      <Code>SignatureDoesNotMatch</Code>
      <Message>The request signature we calculated 
        does not match the signature you provided. 
        Check your AWS Secret Access Key and signing
        method. Consult the service documentation for details.
      </Message>
   </Error>
   <RequestId>a1170c87-d04d-47c9-964f-54e1a4883f4e</RequestId>
</ErrorResponse>

To avoid replays of your requests, AWS requires the time stamp in the request to be within 15 minutes of the AWS system time. To avoid clock synchronization errors, we recommend you fetch the current date from the CloudFront server and then use that as the time stamp for your request and the string for your signature.

We return the current server date as the value of the Date response header (note that the HTTP status code may or may not be a 200). The date uses the RFC 1123 format (e.g., Wed, 18 Nov 2009 17:08:48 GMT). For more information, go to the RFC 1123 specification.