For request signing, multipart upload is just a series of regular requests. You initiate a multipart upload, send one or more requests to upload parts, and then complete the multipart upload process. You sign each request individually. There is nothing special about signing multipart upload requests. For more information about signing, seeAuthenticating Requests (AWS Signature Version 4) in theAmazon S3 User Guide.

Directory buckets - The HTTP Host header syntax isBucket-name.s3express-zone-id.region-code.amazonaws.com.

The name of the bucket where the multipart upload is initiated and where the object is uploaded.

Directory buckets - When you use this operation with a directory bucket, you must use virtual-hosted-style requests in the formatBucket-name.s3express-zone-id.region-code.amazonaws.com. Path-style requests are not supported. Directory bucket names must be unique in the chosen Zone (Availability Zone or Local Zone). Bucket names must follow the formatbucket-base-name--zone-id--x-s3 (for example,amzn-s3-demo-bucket--usw2-az1--x-s3). For information about bucket naming restrictions, seeDirectory bucket naming rules in theAmazon S3 User Guide.

Access points - When you use this action with an access point for general purpose buckets, you must provide the alias of the access point in place of the bucket name or specify the access point ARN. When you use this action with an access point for directory buckets, you must provide the access point name in place of the bucket name. When using the access point ARN, you must direct requests to the access point hostname. The access point hostname takes the formAccessPointName-AccountId.s3-accesspoint.Region.amazonaws.com. When using this action with an access point through the AWS SDKs, you provide the access point ARN in place of the bucket name. For more information about access point ARNs, seeUsing access points in theAmazon S3 User Guide.

S3 on Outposts - When you use this action with S3 on Outposts, you must direct requests to the S3 on Outposts hostname. The S3 on Outposts hostname takes the formAccessPointName-AccountId.outpostID.s3-outposts.Region.amazonaws.com. When you use this action with S3 on Outposts, the destination bucket must be the Outposts access point ARN or the access point alias. For more information about S3 on Outposts, seeWhat is S3 on Outposts? in theAmazon S3 User Guide.

Required: Yes

Specifies caching behavior along the request/reply chain.

Specifies presentational information for the object.

Specifies what content encodings have been applied to the object and thus what decoding mechanisms must be applied to obtain the media-type referenced by the Content-Type header field.

The language that the content is in.

A standard MIME type describing the format of the object data.

The date and time at which the object is no longer cacheable.

Object key for which the multipart upload is to be initiated.

Length Constraints: Minimum length of 1.

Required: Yes

The canned ACL to apply to the object. Amazon S3 supports a set of predefined ACLs, known ascanned ACLs. Each canned ACL has a predefined set of grantees and permissions. For more information, seeCanned ACL in theAmazon S3 User Guide.

By default, all objects are private. Only the owner has full access control. When uploading an object, you can grant access permissions to individual AWS accounts or to predefined groups defined by Amazon S3. These permissions are then added to the access control list (ACL) on the new object. For more information, seeUsing ACLs. One way to grant the permissions using the request headers is to specify a canned ACL with thex-amz-acl request header.

Valid Values:private | public-read | public-read-write | authenticated-read | aws-exec-read | bucket-owner-read | bucket-owner-full-control

Indicates the algorithm that you want Amazon S3 to use to create the checksum for the object. For more information, seeChecking object integrity in theAmazon S3 User Guide.

Valid Values:CRC32 | CRC32C | SHA1 | SHA256 | CRC64NVME

Indicates the checksum type that you want Amazon S3 to use to calculate the object’s checksum value. For more information, seeChecking object integrity in the Amazon S3 User Guide.

Valid Values:COMPOSITE | FULL_OBJECT

The account ID of the expected bucket owner. If the account ID that you provide does not match the actual owner of the bucket, the request fails with the HTTP status code403 Forbidden (access denied).

Specify access permissions explicitly to give the grantee READ, READ_ACP, and WRITE_ACP permissions on the object.

By default, all objects are private. Only the owner has full access control. When uploading an object, you can use this header to explicitly grant access permissions to specific AWS accounts or groups. This header maps to specific permissions that Amazon S3 supports in an ACL. For more information, seeAccess Control List (ACL) Overview in theAmazon S3 User Guide.

You specify each grantee as a type=value pair, where the type is one of the following:

For example, the followingx-amz-grant-read header grants the AWS accounts identified by account IDs permissions to read object data and its metadata:

x-amz-grant-read:,

Specify access permissions explicitly to allow grantee to read the object data and its metadata.

By default, all objects are private. Only the owner has full access control. When uploading an object, you can use this header to explicitly grant access permissions to specific AWS accounts or groups. This header maps to specific permissions that Amazon S3 supports in an ACL. For more information, seeAccess Control List (ACL) Overview in theAmazon S3 User Guide.

You specify each grantee as a type=value pair, where the type is one of the following:

For example, the followingx-amz-grant-read header grants the AWS accounts identified by account IDs permissions to read object data and its metadata:

x-amz-grant-read:,

Specify access permissions explicitly to allows grantee to read the object ACL.

By default, all objects are private. Only the owner has full access control. When uploading an object, you can use this header to explicitly grant access permissions to specific AWS accounts or groups. This header maps to specific permissions that Amazon S3 supports in an ACL. For more information, seeAccess Control List (ACL) Overview in theAmazon S3 User Guide.

You specify each grantee as a type=value pair, where the type is one of the following:

For example, the followingx-amz-grant-read header grants the AWS accounts identified by account IDs permissions to read object data and its metadata:

x-amz-grant-read:,

Specify access permissions explicitly to allows grantee to allow grantee to write the ACL for the applicable object.

By default, all objects are private. Only the owner has full access control. When uploading an object, you can use this header to explicitly grant access permissions to specific AWS accounts or groups. This header maps to specific permissions that Amazon S3 supports in an ACL. For more information, seeAccess Control List (ACL) Overview in theAmazon S3 User Guide.

You specify each grantee as a type=value pair, where the type is one of the following:

For example, the followingx-amz-grant-read header grants the AWS accounts identified by account IDs permissions to read object data and its metadata:

x-amz-grant-read:,

Specifies whether you want to apply a legal hold to the uploaded object.

Valid Values:ON | OFF

Specifies the Object Lock mode that you want to apply to the uploaded object.

Valid Values:GOVERNANCE | COMPLIANCE

Specifies the date and time when you want the Object Lock to expire.

Confirms that the requester knows that they will be charged for the request. Bucket owners need not specify this parameter in their requests. If either the source or destination S3 bucket has Requester Pays enabled, the requester will pay for corresponding charges to copy the object. For information about downloading objects from Requester Pays buckets, seeDownloading Objects in Requester Pays Buckets in theAmazon S3 User Guide.

Valid Values:requester

The server-side encryption algorithm used when you store this object in Amazon S3 or Amazon FSx.

Valid Values:AES256 | aws:fsx | aws:kms | aws:kms:dsse

Specifies the AWS KMS key ID (Key ID, Key ARN, or Key Alias) to use for object encryption. If the KMS key doesn't exist in the same account that's issuing the command, you must use the full Key ARN not the Key ID.

General purpose buckets - If you specifyx-amz-server-side-encryption withaws:kms oraws:kms:dsse, this header specifies the ID (Key ID, Key ARN, or Key Alias) of the AWS KMS key to use. If you specifyx-amz-server-side-encryption:aws:kms orx-amz-server-side-encryption:aws:kms:dsse, but do not providex-amz-server-side-encryption-aws-kms-key-id, Amazon S3 uses the AWS managed key (aws/s3) to protect the data.

Directory buckets - To encrypt data using SSE-KMS, it's recommended to specify thex-amz-server-side-encryption header toaws:kms. Then, thex-amz-server-side-encryption-aws-kms-key-id header implicitly uses the bucket's default KMS customer managed key ID. If you want to explicitly set the x-amz-server-side-encryption-aws-kms-key-id header, it must match the bucket's default customer managed key (using key ID or ARN, not alias). Your SSE-KMS configuration can only support 1customer managed key per directory bucket's lifetime. TheAWS managed key (aws/s3) isn't supported. Incorrect key specification results in an HTTP400 Bad Request error.

Specifies whether Amazon S3 should use an S3 Bucket Key for object encryption with server-side encryption using AWS Key Management Service (AWS KMS) keys (SSE-KMS).

General purpose buckets - Setting this header totrue causes Amazon S3 to use an S3 Bucket Key for object encryption with SSE-KMS. Also, specifying this header with a PUT action doesn't affect bucket-level settings for S3 Bucket Key.

Directory buckets - S3 Bucket Keys are always enabled forGET andPUT operations in a directory bucket and can’t be disabled. S3 Bucket Keys aren't supported, when you copy SSE-KMS encrypted objects from general purpose buckets to directory buckets, from directory buckets to general purpose buckets, or between directory buckets, throughCopyObject,UploadPartCopy,the Copy operation in Batch Operations, orthe import jobs. In this case, Amazon S3 makes a call to AWS KMS every time a copy request is made for a KMS-encrypted object.

Specifies the AWS KMS Encryption Context to use for object encryption. The value of this header is a Base64 encoded string of a UTF-8 encoded JSON, which contains the encryption context as key-value pairs.

Directory buckets - You can optionally provide an explicit encryption context value. The value must match the default encryption context - the bucket Amazon Resource Name (ARN). An additional encryption context value is not supported.

Specifies the algorithm to use when encrypting the object (for example, AES256).

Specifies the customer-provided encryption key for Amazon S3 to use in encrypting data. This value is used to store the object and then it is discarded; Amazon S3 does not store the encryption key. The key must be appropriate for use with the algorithm specified in thex-amz-server-side-encryption-customer-algorithm header.

Specifies the 128-bit MD5 digest of the customer-provided encryption key according to RFC 1321. Amazon S3 uses this header for a message integrity check to ensure that the encryption key was transmitted without error.

By default, Amazon S3 uses the STANDARD Storage Class to store newly created objects. The STANDARD storage class provides high durability and high availability. Depending on performance needs, you can specify a different Storage Class. For more information, seeStorage Classes in theAmazon S3 User Guide.

Valid Values:STANDARD | REDUCED_REDUNDANCY | STANDARD_IA | ONEZONE_IA | INTELLIGENT_TIERING | GLACIER | DEEP_ARCHIVE | OUTPOSTS | GLACIER_IR | SNOW | EXPRESS_ONEZONE | FSX_OPENZFS | FSX_ONTAP

The tag-set for the object. The tag-set must be encoded as URL Query parameters.

If the bucket is configured as a website, redirects requests for this object to another object in the same bucket or to an external URL. Amazon S3 stores the value of this header in the object metadata.

If the bucket has a lifecycle rule configured with an action to abort incomplete multipart uploads and the prefix in the lifecycle rule matches the object name in the request, the response includes this header. The header indicates when the initiated multipart upload becomes eligible for an abort operation. For more information, see Aborting Incomplete Multipart Uploads Using a Bucket Lifecycle Configuration in theAmazon S3 User Guide.

The response also includes thex-amz-abort-rule-id header that provides the ID of the lifecycle configuration rule that defines the abort action.

This header is returned along with thex-amz-abort-date header. It identifies the applicable lifecycle configuration rule that defines the action to abort incomplete multipart uploads.

The algorithm that was used to create a checksum of the object.

Valid Values:CRC32 | CRC32C | SHA1 | SHA256 | CRC64NVME

Indicates the checksum type that you want Amazon S3 to use to calculate the object’s checksum value. For more information, seeChecking object integrity in the Amazon S3 User Guide.

Valid Values:COMPOSITE | FULL_OBJECT

If present, indicates that the requester was successfully charged for the request. For more information, seeUsing Requester Pays buckets for storage transfers and usage in theAmazon Simple Storage Service user guide.

Valid Values:requester

The server-side encryption algorithm used when you store this object in Amazon S3 or Amazon FSx.

Valid Values:AES256 | aws:fsx | aws:kms | aws:kms:dsse

If present, indicates the ID of the KMS key that was used for object encryption.

Indicates whether the multipart upload uses an S3 Bucket Key for server-side encryption with AWS Key Management Service (AWS KMS) keys (SSE-KMS).

If present, indicates the AWS KMS Encryption Context to use for object encryption. The value of this header is a Base64 encoded string of a UTF-8 encoded JSON, which contains the encryption context as key-value pairs.

If server-side encryption with a customer-provided encryption key was requested, the response will include this header to confirm the encryption algorithm that's used.

If server-side encryption with a customer-provided encryption key was requested, the response will include this header to provide the round-trip message integrity verification of the customer-provided encryption key.

Root level tag for the InitiateMultipartUploadResult parameters.

Required: Yes

The name of the bucket to which the multipart upload was initiated. Does not return the access point ARN or access point alias if used.

Type: String

Object key for which the multipart upload was initiated.

Type: String

Length Constraints: Minimum length of 1.

ID for the initiated multipart upload.

Type: String