All authentication is taken care of for you by the AWS::S3 library. None the less, some details of the two types of authentication and when they are used may be of interest to some.
Header based authentication is achieved by setting a special
Authorization
header whose value is formatted like so:
"AWS #{access_key_id}:#{encoded_canonical}"
The access_key_id
is the public key that is assigned by Amazon
for a given account which you use when establishing your initial
connection. The encoded_canonical
is computed according to
rules layed out by Amazon which we will describe presently.
The “canonical string”, generated by the CanonicalString class, is computed
by collecting the current request method, a set of significant headers of
the current request, and the current request path into a string. That
canonical string is then encrypted with the secret_access_key
assigned by Amazon. The resulting encrypted canonical string is then base
64 encoded.
When accessing a restricted object from the browser, you can authenticate via the query string, by setting the following parameters:
"AWSAccessKeyId=#{access_key_id}&Expires=#{expires}&Signature=#{encoded_canonical}"
The QueryString class is responsible for generating the appropriate parameters for authentication via the query string.
The access_key_id
and encoded_canonical
are the
same as described in the Header based authentication section. The
expires
value dictates for how long the current url is valid
(by default, it will expire in 5 minutes). Expiration can be specified
either by an absolute time (expressed in seconds since the epoch), or in
relative time (in number of seconds from now). Details of how to customize
the expiration of the url are provided in the documentation for the
QueryString class.
All requests made by this library use header authentication. When a query string authenticated url is needed, the AWS::S3::S3Object#url method will include the appropriate query string parameters.
The full specification of the authentication protocol can be found at docs.amazonwebservices.com/AmazonS3/2006-03-01/RESTAuthentication.html