Class AWS::S3::Authentication
In: lib/aws/s3/authentication.rb
Parent: Object

All authentication is taken care of for you by the AWS::S3 library. None the less, some details of the two types of authentication and when they are used may be of interest to some.

Header based authentication

Header based authentication is achieved by setting a special Authorization header whose value is formatted like so:

  "AWS #{access_key_id}:#{encoded_canonical}"

The access_key_id is the public key that is assigned by Amazon for a given account which you use when establishing your initial connection. The encoded_canonical is computed according to rules layed out by Amazon which we will describe presently.

Generating the encoded canonical string

The "canonical string", generated by the CanonicalString class, is computed by collecting the current request method, a set of significant headers of the current request, and the current request path into a string. That canonical string is then encrypted with the secret_access_key assigned by Amazon. The resulting encrypted canonical string is then base 64 encoded.

Query string based authentication

When accessing a restricted object from the browser, you can authenticate via the query string, by setting the following parameters:

  "AWSAccessKeyId=#{access_key_id}&Expires=#{expires}&Signature=#{encoded_canonical}"

The QueryString class is responsible for generating the appropriate parameters for authentication via the query string.

The access_key_id and encoded_canonical are the same as described in the Header based authentication section. The expires value dictates for how long the current url is valid (by default, it will expire in 5 minutes). Expiration can be specified either by an absolute time (expressed in seconds since the epoch), or in relative time (in number of seconds from now). Details of how to customize the expiration of the url are provided in the documentation for the QueryString class.

All requests made by this library use header authentication. When a query string authenticated url is needed, the S3Object#url method will include the appropriate query string parameters.

Full authentication specification

The full specification of the authentication protocol can be found at docs.amazonwebservices.com/AmazonS3/2006-03-01/RESTAuthentication.html

[Validate]