認証ヘッダーと認証方式
認証ヘッダー
RESTでリクエストを行う場合、リクエスト毎に以下の認証ヘッダーを付加する必要があります。
(アクセス権限設定によっては、認証ヘッダーを付加する必要はありません)
バージョン3
GET / HTTP/1.1
Host: jp-east-2.storage.api.nifcloud.com
Date: Wed, 29 Jun 2016 12:00:00 GMT
Authorization: AWS ${AccessKeyId}:${Sigunature}
| 項目名 | 説明 | 必須 | サンプル値 |
|---|---|---|---|
| AccessKeyId | コントロールパネルより取得したAccessKey | ○ | |
| Signature | 認証文字列 ※生成ロジックは後述 |
○ |
Signature(認証文字列)生成ロジック
Signature = Base64( HMAC-SHA1 ( SecretAccessKey, UTF-8-Encoding( StringToSign ) ) )
StringToSign = HTTPリクエストメソッド + \n
HTTPリクエストヘッダー文字列(※1) + \n
URLエンコードしたパス部分 + リクエストパラメーター文字列(※2)
- ※1 リクエストヘッダー文字列生成について:
- リクエストヘッダーキーをUTF-8の自然順序でソートする。
- リクエストヘッダー値を("\n")で連結する
- リクエストヘッダーキーが "Content-MD5"、"Content-Type"、"Date" の場合、値を連結する。
- リクエストヘッダーキーの接頭文字が、 "x-amz-"の場合、ヘッダーキー+":"+ヘッダー値を連結する。
- ※2 URLエンコードしたパス部分 + リクエストパラメーター文字列について:
- 区切り文字として使われる"/" "?" "&" "="はエンコードしません。
例:Get Service
GET / HTTP1.1
Content-Type: application/octet-stream
Date: Wed, 29 Jun 2016 12:00:00 GMT
Host: jp-east-2.storage.api.nifcloud.com
User-Agent: Nifty Cloud Service Java Client
Authorization: AWS ${Accesskey}:${ Sigunature } StringToSign =
GET\n
\n
application/octet-stream\n
Wed, 29 Jun 2016 12:00:00 GMT\n
/ 例:Put Bucket
PUT / HTTP1.1
Content-Type: application/octet-stream
Date: Wed, 29 Jun 2016 12:00:00 GMT
Host: my-first-bucket.jp-east-2.storage.api.nifcloud.com
User-Agent: Nifty Cloud Service Java Client
Authorization: AWS ${Accesskey}:${ Sigunature } StringToSign =
PUT\n
\n
application/octet-stream\n
Wed, 29 Jun 2016 12:00:00 GMT\n
/my-first-bucket/ 例:Get Bucket
GET / HTTP1.1
Content-Type: application/octet-stream
Date: Wed, 29 Jun 2016 12:00:00 GMT
Host: my-first-bucket.jp-east-2.storage.api.nifcloud.com
User-Agent: Nifty Cloud Service Java Client
Authorization: AWS ${Accesskey}:${ Sigunature } StringToSign =
GET\n
\n
application/octet-stream\n
Wed, 29 Jun 2016 12:00:00 GMT\n
/my-first-bucket/ 例:Delete Bucket
DELETE / HTTP1.1
Content-Type: application/octet-stream
Date: Wed, 29 Jun 2016 12:00:00 GMT
Host: my-first-bucket.jp-east-2.storage.api.nifcloud.com
User-Agent: Nifty Cloud Service Java Client
Authorization: AWS ${Accesskey}:${ Sigunature } StringToSign =
DELETE\n
\n
application/octet-stream\n
Wed, 29 Jun 2016 12:00:00 GMT\n
/my-first-bucket/ 例:Put Object
PUT /sample.txt HTTP1.1
Content-MD5: 62cff0140e0931c345c25795689032ca
Content-Type: text/plain
Date: Wed, 29 Jun 2016 12:00:00 GMT
x-amz-acl:private
x-amz-meta-alphabet:abcdefghijklmnopqrstuvwxyz
Host: my-first-bucket.jp-east-2.storage.api.nifcloud.com
Content-length: 138
User-Agent: Nifty Cloud Service Java Client
Authorization: AWS ${Accesskey}:${ Sigunature } StringToSign =
PUT\n
62cff0140e0931c345c25795689032ca\n
text/plain\n
Wed, 29 Jun 2016 12:00:00 GMT\n
x-amz-acl:private\n
x-amz-meta-alphabet:abcdefghijklmnopqrstuvwxyz\n
/my-first-bucket/sample.txt 例:Get Object
GET/sample.txt HTTP1.1
Content-Type: application/octet-stream
Date: Wed, 29 Jun 2016 12:00:00 GMT
Host: my-first-bucket.jp-east-2.storage.api.nifcloud.com
User-Agent: Nifty Cloud Service Java Client
Authorization: AWS ${Accesskey}:${ Sigunature } StringToSign =
GET\n
\n
application/octet-stream\n
Wed, 29 Jun 2016 12:00:00 GMT\n
/my-first-bucket/sample.txt 例:Delete Object
DELETE / HTTP1.1
Content-Type: application/octet-stream
Date: Wed, 29 Jun 2016 12:00:00 GMT
Host: my-first-bucket.jp-east-2.storage.api.nifcloud.com
User-Agent: Nifty Cloud Service Java Client
Authorization: AWS ${Accesskey}:${ Sigunature } StringToSign =
DELETE\n
\n
application/octet-stream\n
Wed, 29 Jun 2016 12:00:00 GMT\n
/my-first-bucket/sample.txt 例:Put Object acl
PUT /sample.txt?acl HTTP1.1
Content-Type: text/plain
Date: Wed, 29 Jun 2016 12:00:00 GMT
Host: my-first-bucket.jp-east-2.storage.api.nifcloud.com
Content-length: 961
User-Agent: Nifty Cloud Service Java Client
Authorization: AWS ${Accesskey}:${ Sigunature } StringToSign =
PUT\n
\n
text/plain\n
Wed, 29 Jun 2016 12:00:00 GMT\n
/my-first-bucket/sample.txt?acl 例:Get Object acl
GET /sample.txt?acl HTTP1.1
Content-Type: application/octet-stream
Date: Wed, 29 Jun 2016 12:00:00 GMT
Host: my-first-bucket.jp-east-2.storage.api.nifcloud.com
User-Agent: Nifty Cloud Service Java Client
Authorization: AWS ${Accesskey}:${ Sigunature } StringToSign =
GET\n
\n
application/octet-stream\n
Wed, 29 Jun 2016 12:00:00 GMT\n
/my-first-bucket/sample.txt?acl バージョン4
GET / HTTP/1.1
Host: jp-east-2.storage.api.nifcloud.com
x-amz-content-sha256: ${HashedPayload}
x-amz-date: ${TimeStamp}
Authorization: AWS4-HMAC-SHA256
Credential=${AccessKeyId}/${RequestDate}/${Region}/s3/aws4_request,
SignedHeaders=${SignedHeaders},
Signature=${Sigunature}
| 項目名 | 説明 | 必須 | サンプル値 |
|---|---|---|---|
| AccessKeyId | コントロールパネルより取得したアクセスキー | ○ | |
| RequestDate | リクエスト日yyyymmdd 形式 | ○ | 20170724 |
| Region | リージョン | ○ | jp-east-2 |
| HashedPayload | HTTPリクエストのボディ部の内容(ここではペイロードと呼びます)を「SHA-256」アルゴリズムにてハッシュ化し、16進数エンコードしたもの | ○ | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| TimeStamp | ISO8601形式でフォーマットされたリクエスト時間 | ○ | 20170724T0000000Z |
| SignedHeaders | 署名ヘッダー ※生成ロジックは後述 | ○ | host;x-amz-content-sha256;x-amz-date |
| Signature | 認証文字列 ※生成ロジックは後述 | ○ |
Signature(認証文字列)生成ロジック
Signature = Hex( HMAC-SHA256 ( SigningKey, StringToSign ))
StringToSign = “AWS4-HMAC-SHA256\n” +
“${TimeStamp}\n” +
“${CredentialScope}\n” +
Hex(SHA256Hash(CanonicalRequest))
CredenatialScope = “${RequestDate}/${Region}/s3/aws4_request”
CanonicalRequest = “${HTTPMethod}\n” +
“${CanonicalURI}\n” +
“${CanonicalQueryString}\n” +
“${CanonicalHeaders}\n” +
“${SignedHeaders}\n” +
“${HashedPayload}”
HashedPayload = Hex(SHA256Hash(${Payload})
SigningKey = HMAC-SHA256(
HMAC-SHA256(
HMAC-SHA256(
HMAC-SHA256("AWS4"+"${SecretAccessKey}", "${RequestDate}"), "${Region}"
), "s3"
), "aws4_request"
)
| 項目名 | 説明 | 必須 | サンプル値 |
|---|---|---|---|
| TimeStamp | ISO8601形式でフォーマットされたリクエスト時間 | ○ | 20170724T0000000Z |
| HTTPMethod | 利用するHTTP メソッド | ○ | “GET”,“PUT”,“DELETE”など |
| CanonicalURI | URLエンコードしたパス部分 クエリ文字列は除く スラッシュ(/)はエンコードしません。 |
○ | /sample.txt |
| CanonicalQueryString | クエリ文字列に含まれる各パラメーターについて、パラメーター名と値をそれぞれURLエンコードしたものを"="で繋げて、パラメーター名で辞書順にソートして"&"で結合したもの ・RFC3986に定義されている非予約文字はURLエンコードしません。 非予約文字とは「A-Z、a-z、0-9、ハイフン(-)、アンダースコア(_)、ピリオド(.)、チルダ(~)」を指します。 ・ほかのすべての文字列について、URLエンコードを行います。 例えば、半角スペースはパーセントエンコーディングで「%20」に符号化します。 上記に加えて、区切り文字として使われる"/" "?" "&" "="はエンコードしません。 |
○ | acl= |
| CanonicalHeaders | ヘッダーに含まれる各パラメーターについて、ヘッダー名と値をそれぞれ小文字に変換したものを”:”で繋げて、パラメーター名で辞書順にソートして”\n”で結合したもの host ヘッダーは必須 Content-Type ヘッダーと ”x-amz-“ で始まるヘッダーがリクエストに含まれる場合は必須 |
○ | host:my-first-bucket.jp-east-2.storage.api.nifcloud.com\n x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\n x-amz-date:20170724T000000Z\n |
| SignedHeaders | CanonicalHeaders に含まれるヘッダーパラメーターのヘッダー名を辞書順にソートし、”;”で繋げたもの | ○ | host;x-amz-content-sha256;x-amz-date |
| Payload | リクエストボディーの値 PUTリクエストの場合はPUTするファイルやチャンク、ACL分など GETの場合は空文字 |
○ | |
| SecretAccessKey | コントロールパネルより取得したシークレットキー | ○ |
例:Get Service
GET / HTTP1.1
Host: jp-east-2.storage.api.nifcloud.com
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date: 20170724T000000Z
Authorization: AWS4-HMAC-SHA256 Credential=${AccessKeyId}/${RequestDate}/${Region}/s3/aws4_request, SignedHeaders=${SignedHeaders}, Signature=${SigningKey} CanonicalRequest=
GET\n
/\n
\n
host:jp-east-2.storage.api.nifcloud.com\n
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\n
x-amz-date:20170724T000000Z\n
\n
host;x-amz-content-sha256;x-amz-date\n
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
StringToSign=
AWS4-HMAC-SHA256\n
20170724T000000Z\n
20170724/jp-east-2/s3/aws4_request\n
c04e4c3209d21bb444cdbf3595bea89a3469613b48ca3f8dfb8ced1c88b4b651 例:Put Bucket
PUT / HTTP1.1
Host: my-first-bucket.jp-east-2.storage.api.nifcloud.com
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date: 20170724T000000Z
Authorization: AWS4-HMAC-SHA256 Credential=${AccessKeyId}/${RequestDate}/${Region}/s3/aws4_request, SignedHeaders=${SignedHeaders}, Signature=${SigningKey} CanonicalRequest=
PUT\n
/\n
\n
host:my-first-bucket2.jp-east-2.storage.api.nifcloud.com\n
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\n
x-amz-date:20170724T000000Z\n
\n
host;x-amz-content-sha256;x-amz-date\n
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
StringToSign=
AWS4-HMAC-SHA256\n
20170724T000000Z\n
20170724/jp-east-2/s3/aws4_request\n
c04e4c3209d21bb444cdbf3595bea89a3469613b48ca3f8dfb8ced1c88b4b651 例:Get Bucket
GET / HTTP1.1
Host: my-first-bucket.jp-east-2.storage.api.nifcloud.com
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date: 20170724T000000Z
Authorization: AWS4-HMAC-SHA256 Credential=${AccessKeyId}/${RequestDate}/${Region}/s3/aws4_request, SignedHeaders=${SignedHeaders}, Signature=${SigningKey} CanonicalRequest=
GET\n
/\n
\n
host:my-first-bucket.jp-east-2.storage.api.nifcloud.com\n
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\n
x-amz-date:20170724T000000Z\n
\n
host;x-amz-content-sha256;x-amz-date\n
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
StringToSign=
AWS4-HMAC-SHA256\n
20170724T000000Z\n
20170724/jp-east-2/s3/aws4_request\n
7df254b7970a77c2e626d4d08710ba785dee70242bb57e50aaa8aa1b750b1d04 例:Delete Bucket
DELETE / HTTP1.1
Host: my-first-bucket.jp-east-2.storage.api.nifcloud.com
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date: 20170724T000000Z
Authorization: AWS4-HMAC-SHA256 Credential=${AccessKeyId}/${RequestDate}/${Region}/s3/aws4_request, SignedHeaders=${SignedHeaders}, Signature=${SigningKey} CanonicalRequest=
DELETE\n
/\n
\n
host:my-first-bucket.jp-east-2.storage.api.nifcloud.com\n
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\n
x-amz-date:20170724T000000Z\n
\n
host;x-amz-content-sha256;x-amz-date\n
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
StringToSign=
AWS4-HMAC-SHA256\n
20170724T000000Z\n
20170724/jp-east-2/s3/aws4_request\n
8be98872cc6e745f0ebf075eeafa10c91a13b66daedba2a6f1474b6514bc8e74 例:Put Object
PUT /sample.txt HTTP1.1
Host: my-first-bucket.jp-east-2.storage.api.nifcloud.com
x-amz-content-sha256: b41843877351fe4ebf058aae14a1d4614f11d9a0d51da426c75dcc06d939c05e
x-amz-date: 20170724T000000Z
x-amz-acl: private
x-amz-meta-alphabet: abcdefghijklmnopqrstuvwxyz
Content-length: 138
Authorization: AWS4-HMAC-SHA256 Credential=${AccessKeyId}/${RequestDate}/${Region}/s3/aws4_request, SignedHeaders=${SignedHeaders}, Signature=${SigningKey} CanonicalRequest=
PUT\n
/sample.txt\n
\n
host:my-first-bucket.jp-east-2.storage.api.nifcloud.com\n
x-amz-content-sha256:b41843877351fe4ebf058aae14a1d4614f11d9a0d51da426c75dcc06d939c05e\n
x-amz-date:20170724T000000Z\n
\n
host;x-amz-content-sha256;x-amz-date\n
b41843877351fe4ebf058aae14a1d4614f11d9a0d51da426c75dcc06d939c05e
StringToSign=
AWS4-HMAC-SHA256\n
20170724T000000Z\n
20170724/jp-east-2/s3/aws4_request\n
77a70e3e2c4e0ab1a919a8508c8306dc9f4df2e56952b2bc82d0f279d6dada54 例:Get Object
GET /sample.txt HTTP1.1
Host: my-first-bucket.jp-east-2.storage.api.nifcloud.com
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date: 20170724T000000Z
Authorization: AWS4-HMAC-SHA256 Credential=${AccessKeyId}/${RequestDate}/${Region}/s3/aws4_request, SignedHeaders=${SignedHeaders}, Signature=${SigningKey} CanonicalRequest=
GET\n
/sample.txt\n
\n
host:my-first-bucket.jp-east-2.storage.api.nifcloud.com\n
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\n
x-amz-date:20170724T000000Z\n
\n
host;x-amz-content-sha256;x-amz-date\n
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
StringToSign=
AWS4-HMAC-SHA256\n
20170724T000000Z\n
20170724/jp-east-2/s3/aws4_request\n
c6a2222893599353161c31aa8705586c641766624048201e1381a89e4405e5c6 例:Delete Object
DELETE /sample.txt HTTP1.1
Host: my-first-bucket.jp-east-2.storage.api.nifcloud.com
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date: 20170724T000000Z
Authorization: AWS4-HMAC-SHA256 Credential=${AccessKeyId}/${RequestDate}/${Region}/s3/aws4_request, SignedHeaders=${SignedHeaders}, Signature=${SigningKey} CanonicalRequest=
DELETE\n
/sample.txt\n
\n
host:my-first-bucket.jp-east-2.storage.api.nifcloud.com\n
x-amz-date:20170724T000000Z\n
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\n
\n
host;x-amz-content-sha256;x-amz-date\n
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
StringToSign=
AWS4-HMAC-SHA256\n
20170724T000000Z\n
20170724/jp-east-2/s3/aws4_request\n
b3aa4438cd01be87f47d54fef44274516a031d4a2d43859f43f65b20d02fe52c 例:Put Object acl
PUT /sample.txt HTTP1.1
Host: my-first-bucket.jp-east-2.storage.api.nifcloud.com
x-amz-content-sha256: 138eae2997d5fc275631bc2b1e2c8c604475bb7f092b5cd91ef24dfdac407a2c
x-amz-date: 20170724T000000Z
x-amz-acl: private
Content-length: 961
Content-Type: text/plan
Authorization: AWS4-HMAC-SHA256 Credential=${AccessKeyId}/${RequestDate}/${Region}/s3/aws4_request, SignedHeaders=${SignedHeaders}, Signature=${SigningKey} CanonicalRequest=
PUT\n
/sample.txt\n
host:my-first-bucket.jp-east-2.storage.api.nifcloud.com\n
x-amz-acl:private\n
x-amz-content-sha256:138eae2997d5fc275631bc2b1e2c8c604475bb7f092b5cd91ef24dfdac407a2c\n
x-amz-date:20170724T000000Z\n
\n
host;x-amz-content-sha256;x-amz-date\n
138eae2997d5fc275631bc2b1e2c8c604475bb7f092b5cd91ef24dfdac407a2c
StringToSign=
AWS4-HMAC-SHA256\n
20170724T000000Z\n
20170724/jp-east-2/s3/aws4_request\n
8f363bf33583292ffbc1c8ab1eb5691d5c345e538fbe2fcb930267b5411c34a5 例:Get Object acl
GET /sample.txt?acl HTTP1.1
Host: my-first-bucket.jp-east-2.storage.api.nifcloud.com
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date: 20170724T000000Z
Content-Type: application/octet-stream
Authorization: AWS4-HMAC-SHA256 Credential=${AccessKeyId}/${RequestDate}/${Region}/s3/aws4_request, SignedHeaders=${SignedHeaders}, Signature=${SigningKey} CanonicalRequest=
GET\n
/sample.txt\n
acl=\n
host:my-first-bucket.jp-east-2.storage.api.nifcloud.com\n
x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\n
x-amz-date:20170724T000000Z\n
\n
host;x-amz-content-sha256;x-amz-date\n
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
StringToSign=
AWS4-HMAC-SHA256\n
20170724T000000Z\n
20170724/jp-east-2/s3/aws4_request\n
a282cea2acaef821beabc9fc4f583dafa1140c9622bfc66172435cea169ffdd2 認証方式
オブジェクトストレージ(旧)は、前述と同じ方法でリクエストからSignatureを生成し、認証ヘッダー指定された値と文字列比較を行います。
文字列が一致し、認証文字列が正しいと判定した場合、指定されたAPIの処理を実行します。
バーチャルホスト形式
バケットとオブジェクトを指定する場合、以下のようにリクエスト先をバーチャルホスト形式で指定します。
https://<バケット名>.jp-east-2.storage.api.nifcloud.com/<オブジェクト名>
リクエストサンプル
GET /sample.txt HTTP/1.1
Host: my-first-bucket.jp-east-2.storage.api.nifcloud.com
x-amz-content-sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
x-amz-date: 20170724T000000Z
Authorization: signatureValue 
