The ECS S3 service enables authentication using Signature Version 2 and Signature Version 4. This topic identifies any ECS-specific aspects of the authentication process.
Amazon S3 uses an authorization header that must be present in all requests to identify the user and provide a signature for the request. The format of the authorization header differs between Signature Version 2 and Signature Version 4 authentication.
In order to create an authorization header, you need an AWS Access Key Id and a Secret Access Key. In ECS, the AWS Access Key Id maps to the ECS user id (UID). An AWS Access Key ID has 20 characters (some S3 clients, such as the S3 Browser, check this), but ECS data service does not have this limitation.
Authentication using Signature V2 and Signature V4 are introduced in:
In the ECS object data service, the UID can be configured (through the ECS REST API or the ECS Portal with two secret keys. The ECS data service tries to use the first secret key, and if the calculated signature does not match, it tries to use the second secret key. If the second key fails, it rejects the request. When users add or change the secret key, they should wait two minutes so that all data service nodes can be refreshed with the new secret key before using the new secret key.
In the ECS data service, namespace is also taken into HMAC signature calculation.
Authenticating using Signature V2
The Authorization header when using Signature V2 looks like this:
Authorization: AWS <AWSAccessKeyId>:<Signature>
For example:
GET /photos/puppy.jpg
?AWSAccessKeyId=user11&Expires=1141889120&Signature=vjbyPxybdZaNmGa%2ByT272YEAiv4%3D HTTP/1.1
Host: myco.s3.amazonaws.com
Date: Mon, 26 Mar 2007 19:37:58 +0000
Authentication using Signature V2 is described in:
The Credential component comprises your Access Key Id followed by the Credential Scope. The Credential Scope comprises Date/Region/Service Name/Termination String. For ECS, the Service Name is always s3 and the Region can be any string. When computing the signature, ECS uses the Region string passed by the client.
Authentication using Signature V4 is described in: