The ECS S3 service enables authentication using Signature Version 2 and Signature Version 4. This topic identifies any ECS-specific aspects of the authentication process.
Amazon S3 uses an authorization header that must be present in all requests to identify the user and provide a signature for the request. The format of the authorization header differs between Signature Version 2 and Signature Version 4 authentication.
In order to create an authorization header, you need an AWS Access Key Id and a Secret Access Key. In ECS, the AWS Access Key Id maps to the ECS user id (UID). An AWS Access Key ID has 20 characters (some S3 clients, such as the S3 Browser, check this), but ECS data service does not have this limitation.
Authentication using Signature V2 and Signature V4 are introduced in:
The following notes apply:
The Authorization header when using Signature V2 looks like this:
Authorization: AWS <AWSAccessKeyId>:<Signature>
For example:
GET /photos/puppy.jpg ?AWSAccessKeyId=user11&Expires=1141889120&Signature=vjbyPxybdZaNmGa%2ByT272YEAiv4%3D HTTP/1.1 Host: myco.s3.amazonaws.com Date: Mon, 26 Mar 2007 19:37:58 +0000
Authentication using Signature V2 is described in:
The Authorization header when using Signature V4 looks like this:
Authorization: AWS4-HMAC-SHA256 Credential=user11/20130524/us/s3/aws4_request, SignedHeaders=host;range;x-amz-date, Signature=fe5f80f77d5fa3beca038a248ff027d0445342fe2855ddc963176630326f1024
The Credential component comprises your Access Key Id followed by the Credential Scope. The Credential Scope comprises Date/Region/Service Name/Termination String. For ECS, the Service Name is always s3 and the Region can be any string. When computing the signature, ECS uses the Region string passed by the client.
Authentication using Signature V4 is described in:
An example of a PUT bucket request using Signature V4 is provided below:
PUT /bucket_demo HTTP/1.1 x-amz-date: 20160726T033659Z Authorization: AWS4-HMAC-SHA256 Credential=user11/20160726/us/s3/aws4_request,SignedHeaders=host;x-amz-date;x-emc-namespace,Signature=e75a150daa28a2b2f7ca24f6fd0e161cb58648a25121d3108f0af5c9451b09ce x-emc-namespace: ns1 x-emc-rest-client: TRUE x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 Content-Length: 0 Host: 10.247.195.130:9021 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.2.1 (java 1.5)
Response:
HTTP/1.1 200 OK Date: Tue, 26 Jul 2016 03:37:00 GMT Server: ViPR/1.0 x-amz-request-id: 0af7c382:156123ab861:4192:896 x-amz-id-2: 3e2b2280876d444d6c7215091692fb43b87d6ad95b970f48911d635729a8f7ff Location: /bucket_demo_2016072603365969263 Content-Length: 0
