signature_v4_auth function

Signature Version 4

Signature Version 4

AWS Signature Version 4 for use in query or header authorization

signature_v4_auth(
  datetime = format(Sys.time(), "%Y%m%dT%H%M%SZ", tz = "UTC"),
  region = NULL,
  service,
  verb,
  action,
  query_args = list(),
  canonical_headers,
  request_body,
  signed_body = FALSE,
  key = NULL,
  secret = NULL,
  session_token = NULL,
  query = FALSE,
  algorithm = "AWS4-HMAC-SHA256",
  force_credentials = FALSE,
  verbose = getOption("verbose", FALSE)
)

Arguments

  • datetime: A character string containing a datetime in the form of YYYYMMDDTHHMMSSZ . If missing, it is generated automatically using Sys.time.
  • region: A character string containing the AWS region for the request. If missing, us-east-1 is assumed.
  • service: A character string containing the AWS service (e.g., iam , host , ec2 ).
  • verb: A character string containing the HTTP verb being used in the request.
  • action: A character string containing the API endpoint used in the request.
  • query_args: A named list of character strings containing the query string values (if any) used in the API request, passed to canonical_request.
  • canonical_headers: A named list of character strings containing the headers used in the request.
  • request_body: The body of the HTTP request.
  • signed_body: Should the body be signed
  • key: An AWS Access Key ID. If NULL, it is retrieved using locate_credentials.
  • secret: An AWS Secret Access Key. If NULL, it is retrieved using locate_credentials.
  • session_token: Optionally, an AWS Security Token Service (STS) temporary Session Token. This is added automatically as a header to canonical_headers. See locate_credentials.
  • query: A logical. Currently ignored.
  • algorithm: A character string containing the hashing algorithm used in the request. Should only be SHA256 .
  • force_credentials: A logical indicating whether to force use of user-supplied credentials. If FALSE (the default), locate_credentials is used to find credentials. If TRUE, user-supplied values are used regardless of their validity.
  • verbose: A logical indicating whether to be verbose.

Returns

A list of class aws_signature_v4 , containing the information needed to sign an AWS API request using either query string authentication or request header authentication. Specifically, the list contains:

  • Algorithm: A character string containing the hashing algorithm used during the signing process (default is SHA256).

  • Credential: A character string containing an identifying credential scoped to the region, date, and service of the request.

  • Date: A character string containing a YYYYMMDD-formatted date.

  • SignedHeaders: A character string containing a semicolon-separated listing of request headers used in the signature.

  • Body: The value passed to request_body.

  • BodyHash: A character string containing a SHA256 hash of the request body.

  • Verb: The value passed to verb.

  • Query: The value passed to query_args.

  • Service: The value passed to service.

  • Action: The value passed to action.

  • CanonicalRequest: A character string containing the canonical request.

  • StringToSign: A character string containing the string to sign for the request.

  • Signature: A character string containing a request signature hash.

  • SignatureHeader: A character string containing a complete Authorization header value.

  • AccessKeyId: A character string containing the access key id identified by locate_credentials.

  • SecretAccessKey: A character string containing the secret access key identified by locate_credentials.

  • SessionToken: A character string containing the session token identified by locate_credentials.

  • Region: A character string containing the region identified by locate_credentials.

These values can either be used as query parameters in a REST-style API request, or as request headers. If authentication is supplied via query string parameters, the query string should include the following:

Action=action

&X-Amz-Algorithm=Algorithm

&X-Amz-Credential=URLencode(Credentials)

&X-Amz-Date=Date

&X-Amz-Expires=timeout

&X-Amz-SignedHeaders=SignedHeaders

where action is the API endpoint being called and timeout is a numeric value indicating when the request should expire.

If signing a request using header-based authentication, the Authorization header in the request should be included with the request that looks as follows:

Authorization: Algorithm Credential=Credential, SignedHeaders=SignedHeaders, Signature=Signature

This is the value printed by default for all objects of class aws_signature_v4 .

Details

This function generates an AWS Signature Version 4 for authorizing API requests.

References

AWS General Reference: Signature Version 4 Signing Process

Amazon S3 API Reference: Authenticating Requests (AWS Signature Version 4)

Add the Signing Information to the Request

See Also

signature_v2_auth, locate_credentials

Author(s)

Thomas J. Leeper thosjleeper@gmail.com

aws.signature packageRead PDF manual
  • Maintainer: Jonathan Stott
  • License: GPL (>= 2)
  • Last published: 2020-06-01

Useful links