Signing requests

Many requests to Object Storage require authentication on the service side, so the user sending a request must sign it.

Object Storage supports AWS Signature V4.

The signing process consists of the following stages:

1. Generate a signing key
2. Generate a string to sign
3. Sign a string with a key

Use HMAC with the SHA256 hash function to sign. Many programming languages support relevant methods. The examples assume that there is a sign(KEY, STRING) function that encodes the input string with the specified key.

Generating a signing keyGenerating a signing key

To generate a signing key, you need static access keys for Object Storage. To learn how to get them, see Before you start.

Generate a signing key

1. Use the secret key to encode the date:

   DateKey = sign("AWS4" + "SecretKey", "yyyymmdd")
   

2. Encode the region using the DateKey obtained in the previous step:

   RegionKey = sign(DateKey, "ru-central1")
   

3. Encode the service using the RegionKey obtained in the previous step:

   ServiceKey = sign(RegionKey, "s3")
   

4. Get a signing key:

   SigningKey = sign(ServiceKey, "aws4_request")
   

Generate a string to signGenerate a string to sign

The string to sign (StringToSign) depends on the Object Storage usage scenario:

• Accessing an Amazon S3-compatible API without an SDK or special utilities.
• Uploading objects using an HTML form.
• Signing a URL with query parameters.

Sign a string with a keySign a string with a key

To get a string signature, use HMAC with the SHA256 hash function and convert the result to hexadecimal format.

signature = Hex(sign(SigningKey, StringToSign))