HTTP Query-based requests are defined as any HTTP requests using the HTTP verb GET or POST and a Query parameter named either Action or Operation. Action is used throughout this documentation, although Operation is supported for backward compatibility with other AWS Query APIs.
Each Query request must include some common parameters to handle authentication and selection of an action. These parameters are documented in the section called “Common Query Parameters”.
Some operations take lists of parameters. These lists are
specified using the
param.
notation. Values of nn should be
integers starting from 1.
Every request to Amazon EC2 must contain a request signature. A request signature is calculated by constructing a string and then calculating an RFC 2104-compliant HMAC-SHA1 hash, using the Secret AWS Access Key as the key. For more information, see http://www.faqs.org/rfcs/rfc2104.html.
The following are the basic steps used in authenticating requests to AWS. It is assumed that the developer has already registered with AWS and received an Access Key ID and Secret Access Key.
Note: | If a request contains a Timestamp parameter, the signature calculated for the request expires 15 minutes after the Timestamp value. If a request contains an Expires parameter, the signature expires at the time specified as the value for the Expires parameter. |
The following steps demonstrate how to calculate a signature for requests to AWS:
The following steps demonstrate how to calculate the string to be signed:
? or the separating
& and = characters.
Given the following Query string to sign (linebreaks added for clarity):
?Action=DescribeImages &AWSAccessKeyId=10QMXFEV71ZS32XQFTR2 &SignatureVersion=1 &Timestamp=2006-12-08T07%3A48%3A03Z &Version=2006-10-01
The HMAC signature should be calculated over the following string:
ActionDescribeImagesAWSAccessKeyId10QMXFEV71ZS32XQFTR2SignatureVersion1Timestamp2006-12-08T07:48:03ZVersion2006-10-01
Given the Query string above and the secret key
DMADSSfPfdaDjbK+RRUhS/aDrjsiZadgAUm8gRU2 the base64 encoded
signature is as follows:
69DSJs1z+0wWJmdB77+Lm0N0Trs=
Shown below is a Java code sample to compute the signature from the string and the private key.
import java.security.SignatureException;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
public class HmacExample
{
private static final String HMAC_SHA1_ALGORITHM = "HmacSHA1";
/**
* Computes RFC 2104-compliant HMAC signature.
*
* @param data
* The data to be signed.
* @param key
* The signing key.
* @return
* The base64-encoded RFC 2104-compliant HMAC signature.
* @throws
* java.security.SignatureException when signature generation fails
*/
public static String calculateRFC2104HMAC(String data, String key)
throws java.security.SignatureException
{
String result;
try {
// get an hmac_sha1 key from the raw key bytes
SecretKeySpec signingKey = new SecretKeySpec(key.getBytes(),
HMAC_SHA1_ALGORITHM);
// get an hmac_sha1 Mac instance and initialize with the signing key
Mac mac = Mac.getInstance(HMAC_SHA1_ALGORITHM);
mac.init(signingKey);
// compute the hmac on input data bytes
byte[] rawHmac = mac.doFinal(data.getBytes());
// base64-encode the hmac
result = Base64.encodeBytes(rawData);
}
catch (Exception e) {
throw new SignatureException("Failed to generate HMAC : " + e.getMessage());
}
return result;
}
}