User guide

ManualsBrandsAmazon ManualsComputer equipmentRedshift

131

132

133

134

135

136

137

138

139

140

function includes the text of your request and your secret access key. The hash function returns a hash

value that you include in the request as your signature. The signature is part of the Authorization

header of your request.

Note

For API access, you need an access key ID and secret access key. For more information about

creating access keys, see How Do I Get Security Credentials? in the AWS General Reference.

After Amazon Redshift receives your request, it recalculates the signature by using the same hash function

and input that you used to sign the request. If the resulting signature matches the signature in the request,

Amazon Redshift processes the request; otherwise, the request is rejected.

Amazon Redshift supports authentication using AWS Signature Version 4. The process for calculating a

signature is composed of three tasks.These tasks are illustrated in the example that follows.

• Task 1: Create a Canonical Request

Rearrange your HTTP request into a canonical form. Using a canonical form is necessary because

Amazon Redshift uses the same canonical form to calculate the signature it compares with the one

you sent.

• Task 2: Create a String to Sign

Create a string that you will use as one of the input values to your cryptographic hash function. The

string, called the string to sign, is a concatenation of the name of the hash algorithm, the request date,

a credential scope string, and the canonicalized request from the previous task. The credential scope

string itself is a concatenation of date, region, and service information.

• Task 3: Create a Signature

Create a signature for your request by using a cryptographic hash function that accepts two input

strings, your string to sign and a derived key.The derived key is calculated by starting with your secret

access key and using the credential scope string to create a series of hash-based message

authentication codes (HMAC-SHA256).

Example Signature Calculation

The following example walks you through the details of creating a signature for CreateCluster request.

You can use this example as a reference to check your own signature calculation method. Other reference

calculations are included in the Signature Version 4 Test Suite of the Amazon Web Services Glossary.

You can use a GET or POST request to send requests to Amazon Redshift. The difference between the

two is that for the GET request your parameters are sent as query string parameters. For the POST

request they are included in the body of the request.The example below shows a POST request.

The example assumes the following:

• The time stamp of the request is Fri, 07 Dec 2012 00:00:00 GMT.

• The endpoint is US East (Northern Virginia) Region, us-east-1.

The general request syntax is:

https://redshift.us-east-1.amazonaws.com/

?Action=CreateCluster

&ClusterIdentifier=examplecluster

&MasterUsername=masteruser

&MasterUserPassword=12345678Aa

&NumberOfNode=2

API Version 2012-12-01

132

Amazon Redshift Management Guide

Signing an HTTP Request