,
Jonathan Stott [cre, aut],
Mike Kaminsky [ctb],
Mark Douthwaite [ctb],
Jason Gofford [ctb],
Luke Dyer [ctb]| Title: | Amazon Web Services Request Signatures |
|---|---|
| Description: | Generates version 2 and version 4 request signatures for Amazon Web Services ('AWS') <https://aws.amazon.com/> Application Programming Interfaces ('APIs') and provides a mechanism for retrieving credentials from environment variables, 'AWS' credentials files, and 'EC2' instance metadata. For use on 'EC2' instances, users will need to install the suggested package 'aws.ec2metadata' <https://cran.r-project.org/package=aws.ec2metadata>. |
| Authors: | Thomas J. Leeper [aut] ,
Jonathan Stott [cre, aut],
Mike Kaminsky [ctb],
Mark Douthwaite [ctb],
Jason Gofford [ctb],
Luke Dyer [ctb] |
| Maintainer: | Jonathan Stott <[email protected]> |
| License: | GPL (>= 2) |
| Version: | 0.6.1 |
| Built: | 2024-09-12 03:38:24 UTC |
| Source: | https://github.com/cloudyr/aws.signature |
Generates Amazon Web Services (AWS) request signatures for RESTful APIs.
This package contains functions mostly intended for developers to use in building API client packages for Amazon Web Services APIs.
The main function of interest is signature_v4_auth, which wraps the other internal functions and returns a named list of elements to be used in authenticating an API request using AWS Signature Version 4. Another function, signature_v2_auth implements the older, mostly deprecated Version 2 algorithm.
Recent versions of the package (>= 0.2.8) identify credentials by walking through a tree of possible sources of values (described in locate_credentials), with optional verbosity, in a manner similar to the Python boto 3 library.
A lower-level function that may be of use to end users is use_credentials, which sets the environment variables used by this package based upon values specified in a ‘.aws/credentials’ file. That function is called by default during package load, if no environment variables are set.
To use this (and any cloudyr package) on AWS EC2 instances or ECS tasks, users will also need to install the aws.ec2metadata package, which allows locate_credentials to know it is running in an instance and check for relevant values.
Thomas J. Leeper <[email protected]>
signature_v4_auth, signature_v2_auth, locate_credentials, use_credentials
Construct a Canonical Request from request elements
canonical_request( verb, canonical_uri = "", query_args = list(), canonical_headers, request_body = "", signed_body = FALSE )canonical_request( verb, canonical_uri = "", query_args = list(), canonical_headers, request_body = "", signed_body = FALSE )
verb |
A character string containing the HTTP verb being used in the request. |
canonical_uri |
A character string containing the “canonical URI”, meaning the contents of the API request URI excluding the host and the query parameters. |
query_args |
A named list of character strings containing the query string values (if any) used in the API request. |
canonical_headers |
A named list of character strings containing the headers used in the request. |
request_body |
The body of the HTTP request, or a filename. If a filename, hashing is performed on the file without reading it into memory. |
signed_body |
Sign the body request and add the correct header (x-amz-content-sha256) to the list of headers |
This function creates a “Canonical Request”, which is part of the Signature Version 4. Users probably only need to use the signature_v4_auth function to generate signatures.
A list containing
Thomas J. Leeper <[email protected]>
Create a Canonical Request For Signature Version 4
signature_v4, signature_v4_auth
link{signature_v4_aut}, string_to_sign
# From AWS documentation # http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html fromDocs <- "POST / content-type:application/x-www-form-urlencoded; charset=utf-8 host:iam.amazonaws.com x-amz-date:20110909T233600Z content-type;host;x-amz-date b6359072c78d70ebee1e81adcbab4f01bf2c23245fa365ef83fe8f1f955085e2" hdrs <- list(`Content-Type` = "application/x-www-form-urlencoded; charset=utf-8", Host = "iam.amazonaws.com", `x-amz-date` = "20110909T233600Z") r <- canonical_request(verb = "POST", canonical_uri = "/", query_args = list(), canonical_headers = hdrs, request_body = "Action=ListUsers&Version=2010-05-08") identical(fromDocs, r$canonical)# From AWS documentation # http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html fromDocs <- "POST / content-type:application/x-www-form-urlencoded; charset=utf-8 host:iam.amazonaws.com x-amz-date:20110909T233600Z content-type;host;x-amz-date b6359072c78d70ebee1e81adcbab4f01bf2c23245fa365ef83fe8f1f955085e2" hdrs <- list(`Content-Type` = "application/x-www-form-urlencoded; charset=utf-8", Host = "iam.amazonaws.com", `x-amz-date` = "20110909T233600Z") r <- canonical_request(verb = "POST", canonical_uri = "/", query_args = list(), canonical_headers = hdrs, request_body = "Action=ListUsers&Version=2010-05-08") identical(fromDocs, r$canonical)
Locate AWS credentials from likely sources
locate_credentials( key = NULL, secret = NULL, session_token = NULL, region = NULL, file = Sys.getenv("AWS_SHARED_CREDENTIALS_FILE", default_credentials_file()), profile = NULL, default_region = getOption("cloudyr.aws.default_region", "us-east-1"), verbose = getOption("verbose", FALSE) )locate_credentials( key = NULL, secret = NULL, session_token = NULL, region = NULL, file = Sys.getenv("AWS_SHARED_CREDENTIALS_FILE", default_credentials_file()), profile = NULL, default_region = getOption("cloudyr.aws.default_region", "us-east-1"), verbose = getOption("verbose", FALSE) )
key |
An AWS Access Key ID |
secret |
An AWS Secret Access Key |
session_token |
Optionally, an AWS Security Token Service (STS) temporary Session Token |
region |
A character string containing the AWS region for the request. If missing, “us-east-1” is assumed. |
file |
A character string containing a path to a centralized ‘.aws/credentials’ file. |
profile |
A character string specifying which profile to use from the file. By default, the profile named in AWS_PROFILE is used, otherwise the “default” profile is used. |
default_region |
A character string specifying a default string to use of no user-supplied value is found. |
verbose |
A logical indicating whether to be verbose. |
These functions locate values of AWS credentials (access key, secret access key, session token, and region) from likely sources. The order in which these are searched is as follows:
user-supplied values passed to the function
environment variables, first checking for default credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_DEFAULT_REGION, and AWS_SESSION_TOKEN); then for Web Identity Provider credentials (AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE)
an instance role (on the running ECS task from which this function is called) as identified by metadata, if the aws.ec2metadata package is installed
an IAM instance role (on the running EC2 instance from which this function is called) as identified by metadata, if the aws.ec2metadata package is installed
a profile in a local credentials dot file in the current working directory, using the profile specified by AWS_PROFILE
the default profile in that local credentials file
a profile in a global credentials dot file in a location set by AWS_SHARED_CREDENTIALS_FILE or defaulting typically to ‘~/.aws/credentials’ (or another OS-specific location), using the profile specified by AWS_PROFILE
the default profile in that global credentials file
If AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables are not present when the package is loaded, then use_credentials is invoked using the file specified in AWS_SHARED_CREDENTIALS_FILE (or another default location) and the profile specified in AWS_PROFILE (or, if missing, the “default” profile).
To use this (and any cloudyr package) on AWS EC2 instances, users will also need to install the aws.ec2metadata package, which allows locate_credentials to know it is running in an instance and check for relevant values. If this package is not installed, instance metadata is not checked.
Because region is often handled slightly differently from credentials and is required for most requests (whereas some services allow anonymous requests without specifying credentials), the value of region is searched for in the same order as the above but lacking a value there fails safe with the following preference ranking of possible region values (regardless of location of other credentials):
a user-supplied value
the AWS_DEFAULT_REGION environment variable
(only on EC2 instances) a region declared in the instance metadata
(if a credentials file is being used) the value specified therein
the default value specified in default_region (i.e., “us-east-1” - this can be overriden with the option “cloudyr.aws.default_region”)
As such, user-supplied values of region always trump any other value.
signature_v4, signature_v2_auth, use_credentials
Use a profile from a ‘.aws/credentials’ file
read_credentials( file = Sys.getenv("AWS_SHARED_CREDENTIALS_FILE", default_credentials_file()) ) use_credentials( profile = Sys.getenv("AWS_PROFILE", "default"), file = Sys.getenv("AWS_SHARED_CREDENTIALS_FILE", default_credentials_file()) ) default_credentials_file()read_credentials( file = Sys.getenv("AWS_SHARED_CREDENTIALS_FILE", default_credentials_file()) ) use_credentials( profile = Sys.getenv("AWS_PROFILE", "default"), file = Sys.getenv("AWS_SHARED_CREDENTIALS_FILE", default_credentials_file()) ) default_credentials_file()
file |
A character string containing a path to a ‘.aws/credentials’ file. By default, the standard/centralized file given by AWS_SHARED_CREDENTIALS_FILE is used, otherwise an assumed default location is assumed. For |
profile |
A character string specifying which profile to use from the file. By default, the “default” profile is used. |
read_credentials reads and parses a ‘.aws/credentials’ file into an object of class “aws_credentials”.
use_credentials uses credentials from a profile stored in a credentials file to set the environment variables used by this package. It is called by default during package load if the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables are not set.
Thomas J. Leeper <[email protected]>
Amazon blog post describing the format
signature_v2_auth, locate_credentials
## Not run: # read and parse a credentials file read_credentials() # set environment variables from a profile use_credentials() ## End(Not run)## Not run: # read and parse a credentials file read_credentials() # set environment variables from a profile use_credentials() ## End(Not run)
Generates AWS Signature Version 2
signature_v2_auth( datetime = format(Sys.time(), "%Y-%m-%dT%H:%M:%S", tz = "UTC"), verb, service, path, query_args = list(), key = NULL, secret = NULL, region = NULL, force_credentials = FALSE, verbose = getOption("verbose", FALSE) )signature_v2_auth( datetime = format(Sys.time(), "%Y-%m-%dT%H:%M:%S", tz = "UTC"), verb, service, path, query_args = list(), key = NULL, secret = NULL, region = NULL, force_credentials = FALSE, verbose = getOption("verbose", FALSE) )
datetime |
A character string containing a date in the form of “YYYY-MM-DDTH:M:S”. If missing, it is generated automatically using |
verb |
A character string specify an HTTP verb/method (e.g., “GET”). |
service |
A character string containing the full hostname of an AWS service (e.g., “iam.amazonaws.com”, etc.) |
path |
A character string specify the path to the API endpoint. |
query_args |
A list containing named query arguments. |
key |
An AWS Access Key ID. If |
secret |
An AWS Secret Access Key. If |
region |
A character string containing the AWS region for the request. If missing, “us-east-1” is assumed. |
force_credentials |
A logical indicating whether to force use of user-supplied credentials. If |
verbose |
A logical indicating whether to be verbose. |
This function generates an AWS Signature Version 2 for authorizing API requests. The function returns both an updated set of query string parameters, containing the required signature-related entries, as well as a Signature field containing the Signature string itself. Version 2 is mostly deprecated and in most cases users should rely on signature_v4_auth for Version 4 signatures instead.
A list.
Thomas J. Leeper <[email protected]>
AWS General Reference: Signature Version 2 Signing Process
signature_v4_auth, use_credentials
## Not run: # examples from: # http://docs.aws.amazon.com/general/latest/gr/signature-version-2.html true_string <- paste0("GET\n", "elasticmapreduce.amazonaws.com\n", "/\n", "AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE", "&Action=DescribeJobFlows", "&SignatureMethod=HmacSHA256", "&SignatureVersion=2", "&Timestamp=2011-10-03T15\ "&Version=2009-03-31", collapse = "") true_sig <- "i91nKc4PWAt0JJIdXwz9HxZCJDdiy6cf/Mj6vPxyYIs=" q1 <- list(Action = "DescribeJobFlows", Version = "2009-03-31", AWSAccessKeyId = "AKIAIOSFODNN7EXAMPLE", SignatureVersion = "2", SignatureMethod = "HmacSHA256", Timestamp = "2011-10-03T15:19:30") sig1 <- signature_v2_auth(datetime = "2011-10-03T15:19:30", service = "elasticmapreduce.amazonaws.com", verb = "GET", path = "/", query_args = q1, key = q1$AWSAccessKeyId, secret = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY") identical(true_string, sig1$CanonicalRequest) identical(true_sig, sig1$Signature) # leaving out some defaults q2 <- list(Action = "DescribeJobFlows", Version = "2009-03-31", Timestamp = "2011-10-03T15:19:30") sig2 <- signature_v2_auth(datetime = "2011-10-03T15:19:30", service = "elasticmapreduce.amazonaws.com", verb = "GET", path = "/", query_args = q2, key = "AKIAIOSFODNN7EXAMPLE", secret = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY") identical(true_string, sig2$CanonicalRequest) identical(true_sig, sig2$Signature) ## End(Not run)## Not run: # examples from: # http://docs.aws.amazon.com/general/latest/gr/signature-version-2.html true_string <- paste0("GET\n", "elasticmapreduce.amazonaws.com\n", "/\n", "AWSAccessKeyId=AKIAIOSFODNN7EXAMPLE", "&Action=DescribeJobFlows", "&SignatureMethod=HmacSHA256", "&SignatureVersion=2", "&Timestamp=2011-10-03T15\ "&Version=2009-03-31", collapse = "") true_sig <- "i91nKc4PWAt0JJIdXwz9HxZCJDdiy6cf/Mj6vPxyYIs=" q1 <- list(Action = "DescribeJobFlows", Version = "2009-03-31", AWSAccessKeyId = "AKIAIOSFODNN7EXAMPLE", SignatureVersion = "2", SignatureMethod = "HmacSHA256", Timestamp = "2011-10-03T15:19:30") sig1 <- signature_v2_auth(datetime = "2011-10-03T15:19:30", service = "elasticmapreduce.amazonaws.com", verb = "GET", path = "/", query_args = q1, key = q1$AWSAccessKeyId, secret = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY") identical(true_string, sig1$CanonicalRequest) identical(true_sig, sig1$Signature) # leaving out some defaults q2 <- list(Action = "DescribeJobFlows", Version = "2009-03-31", Timestamp = "2011-10-03T15:19:30") sig2 <- signature_v2_auth(datetime = "2011-10-03T15:19:30", service = "elasticmapreduce.amazonaws.com", verb = "GET", path = "/", query_args = q2, key = "AKIAIOSFODNN7EXAMPLE", secret = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY") identical(true_string, sig2$CanonicalRequest) identical(true_sig, sig2$Signature) ## End(Not run)
Generates AWS Signature Version 4
signature_v4( secret = NULL, date = format(Sys.time(), "%Y%m%d"), region = NULL, service, string_to_sign, verbose = getOption("verbose", FALSE) )signature_v4( secret = NULL, date = format(Sys.time(), "%Y%m%d"), region = NULL, service, string_to_sign, verbose = getOption("verbose", FALSE) )
secret |
An AWS Secret Access Key. If |
date |
A character string containing a date in the form of “YYMMDD”. If missing, it is generated automatically using |
region |
A character string containing the AWS region for the request. If missing, “us-east-1” is assumed. |
service |
A character string containing the AWS service (e.g., “iam”, “host”, “ec2”). |
string_to_sign |
A character string containing the “String To Sign”, possibly returned by |
verbose |
A logical indicating whether to be verbose. |
This function generates an AWS Signature Version 4 for authorizing API requests from its pre-formatted components. Users probably only need to use the signature_v4_auth function to generate signatures.
Thomas J. Leeper <[email protected]>
AWS General Reference: Signature Version 4 Signing Process
AWS General Reference: Examples of How to Derive a Version 4 Signing Key
Amazon S3 API Reference: Authenticating Requests (AWS Signature Version 4)
signature_v4_auth, signature_v2_auth, use_credentials
## Not run: # From AWS documentation # http://docs.aws.amazon.com/general/latest/gr/signature-v4-test-suite.html StringToSign <- "AWS4-HMAC-SHA256 20110909T233600Z 20110909/us-east-1/host/aws4_request e25f777ba161a0f1baf778a87faf057187cf5987f17953320e3ca399feb5f00d" sig <- signature_v4(secret = 'wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY', date = '20110909', region = 'us-east-1', service = 'host', string_to_sign = StringToSign) identical(sig, "be7148d34ebccdc6423b19085378aa0bee970bdc61d144bd1a8c48c33079ab09") # http://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html StringToSign <- "AWS4-HMAC-SHA256 20110909T233600Z 20110909/us-east-1/iam/aws4_request 3511de7e95d28ecd39e9513b642aee07e54f4941150d8df8bf94b328ef7e55e2" sig <- signature_v4(secret = 'wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY', date = '20110909', region = 'us-east-1', service = 'iam', string_to_sign = StringToSign) identical(sig, "ced6826de92d2bdeed8f846f0bf508e8559e98e4b0199114b84c54174deb456c") ## End(Not run)## Not run: # From AWS documentation # http://docs.aws.amazon.com/general/latest/gr/signature-v4-test-suite.html StringToSign <- "AWS4-HMAC-SHA256 20110909T233600Z 20110909/us-east-1/host/aws4_request e25f777ba161a0f1baf778a87faf057187cf5987f17953320e3ca399feb5f00d" sig <- signature_v4(secret = 'wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY', date = '20110909', region = 'us-east-1', service = 'host', string_to_sign = StringToSign) identical(sig, "be7148d34ebccdc6423b19085378aa0bee970bdc61d144bd1a8c48c33079ab09") # http://docs.aws.amazon.com/general/latest/gr/sigv4-calculate-signature.html StringToSign <- "AWS4-HMAC-SHA256 20110909T233600Z 20110909/us-east-1/iam/aws4_request 3511de7e95d28ecd39e9513b642aee07e54f4941150d8df8bf94b328ef7e55e2" sig <- signature_v4(secret = 'wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY', date = '20110909', region = 'us-east-1', service = 'iam', string_to_sign = StringToSign) identical(sig, "ced6826de92d2bdeed8f846f0bf508e8559e98e4b0199114b84c54174deb456c") ## End(Not run)
AWS Signature Version 4 for use in query or header authorization
signature_v4_auth( datetime = format(Sys.time(), "%Y%m%dT%H%M%SZ", tz = "UTC"), region = NULL, service, verb, action, query_args = list(), canonical_headers, request_body, signed_body = FALSE, key = NULL, secret = NULL, session_token = NULL, query = FALSE, algorithm = "AWS4-HMAC-SHA256", force_credentials = FALSE, verbose = getOption("verbose", FALSE) )signature_v4_auth( datetime = format(Sys.time(), "%Y%m%dT%H%M%SZ", tz = "UTC"), region = NULL, service, verb, action, query_args = list(), canonical_headers, request_body, signed_body = FALSE, key = NULL, secret = NULL, session_token = NULL, query = FALSE, algorithm = "AWS4-HMAC-SHA256", force_credentials = FALSE, verbose = getOption("verbose", FALSE) )
datetime |
A character string containing a datetime in the form of “YYYYMMDDTHHMMSSZ”. If missing, it is generated automatically using |
region |
A character string containing the AWS region for the request. If missing, “us-east-1” is assumed. |
service |
A character string containing the AWS service (e.g., “iam”, “host”, “ec2”). |
verb |
A character string containing the HTTP verb being used in the request. |
action |
A character string containing the API endpoint used in the request. |
query_args |
A named list of character strings containing the query string values (if any) used in the API request, passed to |
canonical_headers |
A named list of character strings containing the headers used in the request. |
request_body |
The body of the HTTP request. |
signed_body |
Should the body be signed |
key |
An AWS Access Key ID. If |
secret |
An AWS Secret Access Key. If |
session_token |
Optionally, an AWS Security Token Service (STS) temporary Session Token. This is added automatically as a header to |
query |
A logical. Currently ignored. |
algorithm |
A character string containing the hashing algorithm used in the request. Should only be “SHA256”. |
force_credentials |
A logical indicating whether to force use of user-supplied credentials. If |
verbose |
A logical indicating whether to be verbose. |
This function generates an AWS Signature Version 4 for authorizing API requests.
A list of class “aws_signature_v4”, containing the information needed to sign an AWS API request using either query string authentication or request header authentication. Specifically, the list contains:
Algorithm |
A character string containing the hashing algorithm used during the signing process (default is SHA256). |
Credential |
A character string containing an identifying credential “scoped” to the region, date, and service of the request. |
Date |
A character string containing a YYYYMMDD-formatted date. |
SignedHeaders |
A character string containing a semicolon-separated listing of request headers used in the signature. |
Body |
The value passed to |
BodyHash |
A character string containing a SHA256 hash of the request body. |
Verb |
The value passed to |
Query |
The value passed to |
Service |
The value passed to |
Action |
The value passed to |
CanonicalRequest |
A character string containing the canonical request. |
StringToSign |
A character string containing the string to sign for the request. |
Signature |
A character string containing a request signature hash. |
SignatureHeader |
A character string containing a complete Authorization header value. |
AccessKeyId |
A character string containing the access key id identified by |
SecretAccessKey |
A character string containing the secret access key identified by |
SessionToken |
A character string containing the session token identified by |
Region |
A character string containing the region identified by |
These values can either be used as query parameters in a REST-style API request, or as request headers. If authentication is supplied via query string parameters, the query string should include the following:
Action=action
&X-Amz-Algorithm=Algorithm
&X-Amz-Credential=URLencode(Credentials)
&X-Amz-Date=Date
&X-Amz-Expires=timeout
&X-Amz-SignedHeaders=SignedHeaders
where action is the API endpoint being called and timeout is a numeric value indicating when the request should expire.
If signing a request using header-based authentication, the “Authorization” header in the request should be included with the request that looks as follows:
Authorization: Algorithm Credential=Credential, SignedHeaders=SignedHeaders, Signature=Signature
This is the value printed by default for all objects of class “aws_signature_v4”.
Thomas J. Leeper <[email protected]>
AWS General Reference: Signature Version 4 Signing Process
Amazon S3 API Reference: Authenticating Requests (AWS Signature Version 4)
Add the Signing Information to the Request
signature_v2_auth, locate_credentials
Construct a String to Sign from request elements
string_to_sign( algorithm = "AWS4-HMAC-SHA256", datetime, region, service, request_hash )string_to_sign( algorithm = "AWS4-HMAC-SHA256", datetime, region, service, request_hash )
algorithm |
A character string containing the hashing algorithm used in signing process. Should only be “AWS4-HMAC-SHA256”. |
datetime |
A character string containing a UTC date in the form of “YYYYMMDDTHHMMSSZ”. |
region |
A character string containing the AWS region for the request. |
service |
A character string containing the AWS service (e.g., “iam”, “host”, “ec2”). |
request_hash |
A character string containing the hash of the canonical request, perhaps as returned by |
This is a mostly internal function that creates a “String To Sign”, which is part of the Signature Version 4. Users probably only need to use the signature_v4_auth function to generate signatures.
Thomas J. Leeper <[email protected]>
Create a String to Sign for Signature Version 4
signature_v4, signature_v4_auth
# From AWS documentation rh <- "3511de7e95d28ecd39e9513b642aee07e54f4941150d8df8bf94b328ef7e55e2" sts <- string_to_sign(datetime = "20110909T233600Z", region = "us-east-1", service = "iam", request_hash = rh) identical(sts, "AWS4-HMAC-SHA256 20110909T233600Z 20110909/us-east-1/iam/aws4_request 3511de7e95d28ecd39e9513b642aee07e54f4941150d8df8bf94b328ef7e55e2")# From AWS documentation rh <- "3511de7e95d28ecd39e9513b642aee07e54f4941150d8df8bf94b328ef7e55e2" sts <- string_to_sign(datetime = "20110909T233600Z", region = "us-east-1", service = "iam", request_hash = rh) identical(sts, "AWS4-HMAC-SHA256 20110909T233600Z 20110909/us-east-1/iam/aws4_request 3511de7e95d28ecd39e9513b642aee07e54f4941150d8df8bf94b328ef7e55e2")