Class: AWS::S3::Authentication
Overview
All authentication is taken care of for you by the AWS::S3 library. None the less, some details of the two types of authentication and when they are used may be of interest to some.
Header based authentication
Header based authentication is achieved by setting a special Authorization
header whose value is formatted like so:
"AWS #{access_key_id}:#{encoded_canonical}"
The access_key_id
is the public key that is assigned by Amazon for a given account which you use when establishing your initial connection. The encoded_canonical
is computed according to rules layed out by Amazon which we will describe presently.
Generating the encoded canonical string
The “canonical string”, generated by the CanonicalString class, is computed by collecting the current request method, a set of significant headers of the current request, and the current request path into a string. That canonical string is then encrypted with the secret_access_key
assigned by Amazon. The resulting encrypted canonical string is then base 64 encoded.
Query string based authentication
When accessing a restricted object from the browser, you can authenticate via the query string, by setting the following parameters:
"AWSAccessKeyId=#{access_key_id}&Expires=#{expires}&Signature=#{encoded_canonical}"
The QueryString class is responsible for generating the appropriate parameters for authentication via the query string.
The access_key_id
and encoded_canonical
are the same as described in the Header based authentication section. The expires
value dictates for how long the current url is valid (by default, it will expire in 5 minutes). Expiration can be specified either by an absolute time (expressed in seconds since the epoch), or in relative time (in number of seconds from now). Details of how to customize the expiration of the url are provided in the documentation for the QueryString class.
All requests made by this library use header authentication. When a query string authenticated url is needed, the S3Object#url method will include the appropriate query string parameters.
Full authentication specification
The full specification of the authentication protocol can be found at docs.amazonwebservices.com/AmazonS3/2006-03-01/RESTAuthentication.html
Defined Under Namespace
Classes: CanonicalString, Header, QueryString, Signature