Introduction Hitting S3 from boto3 , I had never thought about SigV4. The SDK does everything. I knew an Authorization: AWS4-HMAC-SHA256 ... header was being assembled somewhere under the hood, but I had never built one by hand. Multi-Region Access Point (MRAP) destroyed that complacency. The instant I hit S3 through MRAP from Lambda, an algorithm I had never seen called AWS4-ECDSA-P256-SHA256 showed up instead of the usual SigV4, and the old botocore I had pinned locally crashed with InvalidSignature . AWS has two signing schemes: SigV4 and SigV4A . The latter is asymmetric, using ECDSA instead of HMAC. This article dissects both, in this order.…