R: Signature Version 4

signature_v4_auth {aws.signature}

R Documentation

Signature Version 4

Description

AWS Signature Version 4 for use in query or header authorization

Usage

signature_v4_auth(
  datetime = format(Sys.time(), "%Y%m%dT%H%M%SZ", tz = "UTC"),
  region = NULL,
  service,
  verb,
  action,
  query_args = list(),
  canonical_headers,
  request_body,
  signed_body = FALSE,
  key = NULL,
  secret = NULL,
  session_token = NULL,
  query = FALSE,
  algorithm = "AWS4-HMAC-SHA256",
  force_credentials = FALSE,
  verbose = getOption("verbose", FALSE)
)

Arguments

`datetime`	A character string containing a datetime in the form of “YYYYMMDDTHHMMSSZ”. If missing, it is generated automatically using `Sys.time`.
`region`	A character string containing the AWS region for the request. If missing, “us-east-1” is assumed.
`service`	A character string containing the AWS service (e.g., “iam”, “host”, “ec2”).
`verb`	A character string containing the HTTP verb being used in the request.
`action`	A character string containing the API endpoint used in the request.
`query_args`	A named list of character strings containing the query string values (if any) used in the API request, passed to `canonical_request`.
`canonical_headers`	A named list of character strings containing the headers used in the request.
`request_body`	The body of the HTTP request.
`signed_body`	Should the body be signed
`key`	An AWS Access Key ID. If `NULL`, it is retrieved using `locate_credentials`.
`secret`	An AWS Secret Access Key. If `NULL`, it is retrieved using `locate_credentials`.
`session_token`	Optionally, an AWS Security Token Service (STS) temporary Session Token. This is added automatically as a header to `canonical_headers`. See `locate_credentials`.
`query`	A logical. Currently ignored.
`algorithm`	A character string containing the hashing algorithm used in the request. Should only be “SHA256”.
`force_credentials`	A logical indicating whether to force use of user-supplied credentials. If `FALSE` (the default), `locate_credentials` is used to find credentials. If `TRUE`, user-supplied values are used regardless of their validity.
`verbose`	A logical indicating whether to be verbose.

Details

This function generates an AWS Signature Version 4 for authorizing API requests.

Value

A list of class “aws_signature_v4”, containing the information needed to sign an AWS API request using either query string authentication or request header authentication. Specifically, the list contains:

`Algorithm`	A character string containing the hashing algorithm used during the signing process (default is SHA256).
`Credential`	A character string containing an identifying credential “scoped” to the region, date, and service of the request.
`Date`	A character string containing a YYYYMMDD-formatted date.
`SignedHeaders`	A character string containing a semicolon-separated listing of request headers used in the signature.
`Body`	The value passed to `request_body`.
`BodyHash`	A character string containing a SHA256 hash of the request body.
`Verb`	The value passed to `verb`.
`Query`	The value passed to `query_args`.
`Service`	The value passed to `service`.
`Action`	The value passed to `action`.
`CanonicalRequest`	A character string containing the canonical request.
`StringToSign`	A character string containing the string to sign for the request.
`Signature`	A character string containing a request signature hash.
`SignatureHeader`	A character string containing a complete Authorization header value.
`AccessKeyId`	A character string containing the access key id identified by `locate_credentials`.
`SecretAccessKey`	A character string containing the secret access key identified by `locate_credentials`.
`SessionToken`	A character string containing the session token identified by `locate_credentials`.
`Region`	A character string containing the region identified by `locate_credentials`.

These values can either be used as query parameters in a REST-style API request, or as request headers. If authentication is supplied via query string parameters, the query string should include the following:

Action=action &X-Amz-Algorithm=Algorithm &X-Amz-Credential=URLencode(Credentials) &X-Amz-Date=Date &X-Amz-Expires=timeout &X-Amz-SignedHeaders=SignedHeaders

where action is the API endpoint being called and timeout is a numeric value indicating when the request should expire.

If signing a request using header-based authentication, the “Authorization” header in the request should be included with the request that looks as follows:

Authorization: Algorithm Credential=Credential, SignedHeaders=SignedHeaders, Signature=Signature

This is the value printed by default for all objects of class “aws_signature_v4”.

Author(s)

Thomas J. Leeper <thosjleeper@gmail.com>

References

AWS General Reference: Signature Version 4 Signing Process

Amazon S3 API Reference: Authenticating Requests (AWS Signature Version 4)

Add the Signing Information to the Request