Signing requests
Many requests to Object Storage require authentication on the service side, so the user sending a request must sign it.
Object Storage supports AWS Signature V4.
The signing process consists of the following stages:
Use HMACsign(KEY, STRING)
function that encodes the input string with the specified key.
Generating a signing key
To generate a signing key, you need static access keys for Object Storage. To learn how to get them, see Before you start.
Generate a signing key
-
Use the secret key to encode the date:
DateKey = sign("AWS4" + "SecretKey", "yyyymmdd")
-
Encode the region using the
DateKey
obtained in the previous step:RegionKey = sign(DateKey, "ru-central1")
-
Encode the service using the
RegionKey
obtained in the previous step:ServiceKey = sign(RegionKey, "s3")
-
Get a signing key:
SigningKey = sign(ServiceKey, "aws4_request")
Generate a string to sign
The string to sign (StringToSign
) depends on the Object Storage usage scenario:
- Accessing an Amazon S3-compatible API without an SDK or special utilities.
- Uploading objects using an HTML form.
- Signing a URL with query parameters.
Sign a string with a key
To get a string signature, use HMAC
with the SHA256
hash function and convert the result to hexadecimal format.
signature = Hex(sign(SigningKey, StringToSign))