Signing an HTTP Request
Topics
• Example Signature Calculation (p. 125)
Amazon Redshift requires that every request you send to the management API be authenticated with a
signature.This topic explains how to sign your requests.
If you are using one of the AWS Software Development Kits (SDKs) or the AWS Command Line Interface,
request signing is handled automatically, and you can skip this section. For more information about using
AWS SDKs, see Using the AWS SDKs with Amazon Redshift (p. 117). For more information about using
the Amazon Redshift Command Line Interface, go to Amazon Redshift Command Line Reference.
To sign a request, you calculate a digital signature by using a cryptographic hash function. A cryptographic
hash is a function that returns a unique hash value that is based on the input.The input to the hash
function includes the text of your request and your secret access key.The hash function returns a hash
value that you include in the request as your signature.The signature is part of the Authorization
header of your request.
After Amazon Redshift receives your request, it recalculates the signature by using the same hash function
and input that you used to sign the request. If the resulting signature matches the signature in the request,
Amazon Redshift processes the request; otherwise, the request is rejected.
Amazon Redshift supports authentication using AWS Signature Version 4. The process for calculating a
signature is composed of three tasks.These tasks are illustrated in the example that follows.
• Task 1: Create a Canonical Request
Rearrange your HTTP request into a canonical form. Using a canonical form is necessary because
Amazon Redshift uses the same canonical form to calculate the signature it compares with the one
you sent.
• Task 2: Create a String to Sign
Create a string that you will use as one of the input values to your cryptographic hash function.The
string, called the string to sign, is a concatenation of the name of the hash algorithm, the request date,
a credential scope string, and the canonicalized request from the previous task. The credential scope
string itself is a concatenation of date, region, and service information.
• Task 3: Create a Signature
Create a signature for your request by using a cryptographic hash function that accepts two input
strings, your string to sign and a derived key.The derived key is calculated by starting with your secret
API Version 2012-12-01
124
Amazon Redshift Management Guide
To Next Page
Loading...
Need help?
General
