Tất cả AWS API requests phải được signed bằng Signature Version 4.
Authorization: AWS4-HMAC-SHA256
Credential=AKID/20250115/us-east-1/dynamodb/aws4_request,
SignedHeaders=host;x-amz-date,
Signature=abc123...
1. Create canonical request (method, URI, query string, headers, payload hash)
2. Create string to sign (algorithm, date, credential scope, canonical request hash)
3. Calculate signature (signing key derived from secret key + date + region + service)
4. Add signature to Authorization header
import boto3
# STS AssumeRole → temporary credentials
sts = boto3.client('sts')
response = sts.assume_role(
RoleArn='arn:aws:iam::123456789012:role/CrossAccountRole',
RoleSessionName='my-session'
)
# Use temporary credentials
credentials = response['Credentials']
s3 = boto3.client('s3',
aws_access_key_id=credentials['AccessKeyId'],
aws_secret_access_key=credentials['SecretAccessKey'],
aws_session_token=credentials['SessionToken']
)
import boto3
s3 = boto3.client('s3')
# Generate pre-signed URL (default 1 hour)
url = s3.generate_presigned_url(
'get_object',
Params={'Bucket': 'my-bucket', 'Key': 'file.pdf'},
ExpiresIn=3600 # seconds
)
# URL chứa SigV4 signature → anyone with URL can access
| Method | Signing |
|---|---|
| IAM Auth | Client signs request với SigV4 |
| Cognito | Client sends JWT token in Authorization header |
| API Key | Client sends key in x-api-key header |
| Lambda Authorizer | Client sends custom token |
Exam Tip: SigV4 tự động trong SDK. Pre-signed URLs cho temporary S3 access. Temporary credentials (STS) luôn tốt hơn long-term access keys.