1 00:00:00,360 --> 00:00:01,950 ‫So now let's do a deeper dive 2 00:00:01,950 --> 00:00:04,770 ‫into understanding how we are actually able 3 00:00:04,770 --> 00:00:07,920 ‫to do API request to AWS. 4 00:00:07,920 --> 00:00:10,500 ‫So when you call an AWS HTTP API, 5 00:00:10,500 --> 00:00:13,410 ‫which is the API for all the services, 6 00:00:13,410 --> 00:00:14,243 ‫what's going to happen 7 00:00:14,243 --> 00:00:16,320 ‫is that you're going to sign the request 8 00:00:16,320 --> 00:00:18,540 ‫so that AWS can know who you are 9 00:00:18,540 --> 00:00:21,000 ‫and that you are authorized to do your request. 10 00:00:21,000 --> 00:00:22,500 ‫And to sign your request, 11 00:00:22,500 --> 00:00:23,333 ‫what's going to happen 12 00:00:23,333 --> 00:00:25,830 ‫is that you're going to use your AWS credentials, 13 00:00:25,830 --> 00:00:29,070 ‫for example, your access key and your secret key. 14 00:00:29,070 --> 00:00:31,020 ‫And by signing it, AWS knows who you are 15 00:00:31,020 --> 00:00:32,250 ‫and then you're good to go. 16 00:00:32,250 --> 00:00:34,020 ‫Now the process is very complicated, 17 00:00:34,020 --> 00:00:35,850 ‫and for some requests to Amazon S3 18 00:00:35,850 --> 00:00:37,050 ‫you don't need to be signed. 19 00:00:37,050 --> 00:00:39,630 ‫For example, if you're reading a public object. 20 00:00:39,630 --> 00:00:43,440 ‫But for most API calls, you must sign your HTTP request. 21 00:00:43,440 --> 00:00:46,680 ‫Now, we haven't seen the process of signing an HTTP request 22 00:00:46,680 --> 00:00:49,470 ‫because while we've been using the SDK 23 00:00:49,470 --> 00:00:52,560 ‫or the AWS CLI, and so therefore by default, 24 00:00:52,560 --> 00:00:54,120 ‫of course, all the requests 25 00:00:54,120 --> 00:00:56,040 ‫are going to be signed automatically 26 00:00:56,040 --> 00:00:58,230 ‫by the CLI or the SDK. 27 00:00:58,230 --> 00:01:00,540 ‫And so what's going to happen and what you need to remember 28 00:01:00,540 --> 00:01:02,310 ‫is that what you need to do 29 00:01:02,310 --> 00:01:05,100 ‫when you have an API request is to sign it. 30 00:01:05,100 --> 00:01:06,180 ‫And when you sign it 31 00:01:06,180 --> 00:01:10,260 ‫you sign it using SigV4 for a Signature v4. 32 00:01:10,260 --> 00:01:11,820 ‫Now the process is complicated. 33 00:01:11,820 --> 00:01:13,710 ‫There are four steps and you don't need to know 34 00:01:13,710 --> 00:01:16,770 ‫about how to actually sign something with SigV4 35 00:01:16,770 --> 00:01:18,240 ‫because that would be complicated. 36 00:01:18,240 --> 00:01:20,700 ‫But what you need to know is the two ways 37 00:01:20,700 --> 00:01:25,700 ‫that you can transmit your signature once computed to AWS. 38 00:01:25,740 --> 00:01:28,560 ‫So the first one is to send the signature 39 00:01:28,560 --> 00:01:33,000 ‫in the authorization header for any HTTP request. 40 00:01:33,000 --> 00:01:35,010 ‫So you compute it and then it's sent. 41 00:01:35,010 --> 00:01:36,330 ‫So this is what the CLI does, 42 00:01:36,330 --> 00:01:39,330 ‫is going to be included by default like this. 43 00:01:39,330 --> 00:01:43,050 ‫The second option is to use a query string. 44 00:01:43,050 --> 00:01:44,220 ‫So the query string 45 00:01:44,220 --> 00:01:46,950 ‫is that you're going to include the signature 46 00:01:46,950 --> 00:01:50,610 ‫in the URL directly, as you can see right here. 47 00:01:50,610 --> 00:01:53,970 ‫And the signature is going to be in a specified key 48 00:01:53,970 --> 00:01:58,710 ‫for your query string called the X-Amz-Signature. 49 00:01:58,710 --> 00:02:01,410 ‫So these are two ways to transmit SigV4, 50 00:02:01,410 --> 00:02:03,000 ‫and I'm gonna go into the console now 51 00:02:03,000 --> 00:02:04,590 ‫to show you the second way 52 00:02:04,590 --> 00:02:07,680 ‫so you can really have a look at a signature. 53 00:02:07,680 --> 00:02:12,330 ‫So here, I am in Amazon S3 and there is my coffee.jpg file. 54 00:02:12,330 --> 00:02:15,060 ‫And I'm going to do, I'm going to click on here to open it. 55 00:02:15,060 --> 00:02:17,910 ‫And as you can see, it displays in my browser. 56 00:02:17,910 --> 00:02:20,430 ‫And the reason why this file is correctly displayed 57 00:02:20,430 --> 00:02:23,070 ‫in my browser is because of the signatures. 58 00:02:23,070 --> 00:02:27,060 ‫So let me copy the URL into a text editor and show you. 59 00:02:27,060 --> 00:02:30,330 ‫And so as you can see, I have my URL and I've decomposed it 60 00:02:30,330 --> 00:02:32,100 ‫into several steps for you to see. 61 00:02:32,100 --> 00:02:34,260 ‫Here we have the security token. 62 00:02:34,260 --> 00:02:35,430 ‫Here we have the algorithm 63 00:02:35,430 --> 00:02:38,850 ‫that says AWS S4, so SigV4. 64 00:02:38,850 --> 00:02:40,680 ‫We have the date, we have the expires. 65 00:02:40,680 --> 00:02:43,380 ‫So when this URL is going to expire, and this is fine, 66 00:02:43,380 --> 00:02:46,410 ‫by the time you see this video, it's going to be expired. 67 00:02:46,410 --> 00:02:48,990 ‫You also have the AMZ credentials. 68 00:02:48,990 --> 00:02:51,570 ‫So what is my account ID and so on. 69 00:02:51,570 --> 00:02:53,940 ‫And then we have the AMZ signature 70 00:02:53,940 --> 00:02:57,240 ‫which represents the signature part of my SigV4. 71 00:02:57,240 --> 00:03:00,690 ‫So as you can see, this is a URL that got constructed 72 00:03:00,690 --> 00:03:05,690 ‫by my web browser to be able to access my file in Amazon S3. 73 00:03:05,790 --> 00:03:07,020 ‫So that's it for this lecture. 74 00:03:07,020 --> 00:03:09,300 ‫Want you to remember in short is that SigV4 75 00:03:09,300 --> 00:03:11,640 ‫is used to sign request into AWS 76 00:03:11,640 --> 00:03:13,500 ‫and the signature can be either sent 77 00:03:13,500 --> 00:03:16,050 ‫using an HTTP header in Authorization 78 00:03:16,050 --> 00:03:20,280 ‫or a query string option with the X-Amz-Signature key. 79 00:03:20,280 --> 00:03:21,300 ‫All right, that's it. 80 00:03:21,300 --> 00:03:23,050 ‫I will see you in the next lecture.