Signing and Authenticating REST Requests
The primary authentication scheme available to use with Riak CS is the S3
authentication scheme. A signature is calculated using several elements from
each request and the user's
key_secret. This signature is
included in the
Authorization header of the request. Once a request is
received by the server, the server also calculates the signature for the
request and compares the result with the signature presented in then
Authorization header. If they match then the request is authenticated;
otherwise, the authentication fails.
Full details are available in the S3 authentication scheme documentation.
Query String Authentication
Riak CS also supports authentication using a query parameter. This allows issuing of pre-signed requests that can be used to grant public access to private Riak CS data. It also supports an expiry timestamp so that the pre-signed URL can be invalidated after a certain period of time.
The signature in the query string secures the request and you can specify any future expiration time in epoch or UNIX time.
- Create a query.
- Specify an expiration time for the query.
- Sign it with your signature.
- Place the data in an HTTP request.
- Distribute the request to a user or embed the request in a web page
Query String Parameters
AWSAccessKeyId - Your Riak CS Access Key ID.
- Type: String
Expires - The time when the signature expires, specified as the number of seconds since the epoch.
- Type: Integer
Signature - The URL encoding of the Base64 encoding of the HMAC-SHA1 of StringToSign.
- Type: String
For example, a query URL is similar to the following example.