Signing requests

Many requests to Object Storage require authentication on the service side, so the user sending a request must sign it.

Object Storage supports AWS Signature V4.

The signing process consists of the following stages:

  1. Generate a signing key
  2. Generate a string to sign
  3. Sign the string with a key

Use HMAC with the SHA256 hash function to sign. Many programming languages support relevant methods. The samples assume the presence of a sign function that encodes the input string with the specified key.

Generate a signing key

To generate a signing key, you need static access keys for Object Storage. To find out how to get them, read Before you start.

Generate a signing key

  1. Use the secret key to encode the date:

    DateKey = sign("AWS4" + "SecretKey", "yyyymmdd")
  2. Encode the region using the DateKey obtained in the previous step:

    RegionKey = sign(DateKey, "ru-central1")
  3. Encode the service using the RegionKey obtained in the previous step:

    ServiceKey = sign(RegionKey, "s3")
  4. Get a signing key:

    SigningKey = sign(ServiceKey, "aws4_request")

Generate a string to sign

The string to sign (StringToSign) depends on the Object Storage usage scenario:

Sign a string with a key

To get a string signature, use HMAC with the SHA256 hash function and convert the result to hexadecimal format.

signature = Hex(sign(SigningKey, StringToSign))