Signature mechanism

更新时间:
复制 MD 格式

This topic describes the concepts of the signature mechanism and how to create a signature.

Auto Scaling authenticates each access request. Therefore, every request, whether submitted over HTTP or HTTPS, must include signature information. Auto Scaling uses an AccessKey ID and an AccessKey secret to perform symmetric encryption and verify the identity of the request sender. Alibaba Cloud issues an AccessKey ID and an AccessKey secret to each user. You can apply for and manage them on the Alibaba Cloud official website. The AccessKey ID identifies the user. The AccessKey secret is a key used to encrypt the signature string and for the server to verify the signature. The AccessKey secret must be kept strictly confidential.

To sign a request, follow these steps:

  1. Create a canonicalized query string from the request parameters.

    1. Sort all request parameters alphabetically by parameter name. These parameters include both common request parameters and parameters specific to the API operation. The Signature parameter is not included in the signing process.

      Note

      If you submit a request using the GET method, these parameters are the part of the request URL that follows the question mark (?) and are separated by ampersands (&).

    2. URL-encode the name and value of each request parameter in the UTF-8 character set. The encoding rules are as follows:

      • Characters A to Z, a to z, 0 to 9, and the special characters hyphen (-), underscore (_), period (.), and tilde (~) do not need to be encoded.

      • Encode other characters into the %XY format. XY represents the two-digit hexadecimal value of the character's ASCII code. For example, a double quotation mark (") is encoded as %22.

      • Encode extended UTF-8 characters into the %XY%ZA... format.

      • A space character must be encoded as %20, not a plus sign (+).

      Note

      Most libraries that support URL encoding, such as java.net.URLEncoder in Java, encode characters based on the rules of the application/x-www-form-urlencoded Multipurpose Internet Mail Extensions (MIME) type. If you use such a library, replace the plus signs (+) with %20, asterisks (*) with %2A, and %7E with tildes (~) in the encoded string to comply with the encoding rules described above.

    3. Connect the encoded parameter name and its value with an equal sign (=).

    4. Connect the encoded parameter name-value pairs with ampersands (&). The pairs must be in the alphabetical order of the parameter names. The resulting string is the canonicalized query string.

  2. Use the canonicalized query string from the previous step to create the string-to-sign using the following format:

    StringToSign=
     HTTPMethod + "&" +
     percentEncode("/") + "&" +
     percentEncode(CanonicalizedQueryString)
    • HTTPMethod is the HTTP method used to submit the request, such as GET.

    • percentEncode("/") is the forward slash (/) character encoded according to the URL encoding rules in step 1.b. The resulting value is "%2F".

    • percentEncode(CanonicalizedQueryString) is the canonicalized query string from step 1, encoded according to the URL encoding rules in step 1.b.

  3. Calculate the Hash-based Message Authentication Code (HMAC) value of the string-to-sign as defined in RFC 2104.

    Note

    The key for the calculation is your AccessKey secret followed by an ampersand (&), which has an ASCII code of 38. Use the SHA1 hash algorithm for the calculation.

  4. Encode the HMAC value in Base64 to obtain the signature string.

  5. Add the signature string to the request parameters as the Signature parameter. This completes the signing process.

    Note

    When you submit the signature value as the final request parameter to the server, it must be URL-encoded along with the other parameters, as specified in RFC 3986.

    For example, consider a call to the DescribeScalingGroups operation. The request URL before signing is as follows:

    http://ess.aliyuncs.com/?TimeStamp=2014-08-15T11%3A10%3A07Z&Format=xml&AccessKeyId=testid&Action=DescribeScalingGroups&SignatureMethod=HMAC-SHA1&RegionId=cn-qingdao&SignatureNonce=1324fd0e-e2bb-4bb1-917c-bd6e437f1710&SignatureVersion=1.0&Version=2014-08-28

    The StringToSign is as follows:

    GET&%2F&AccessKeyId%3Dtestid&Action%3DDescribeScalingGroups&Format%3Dxml&RegionId%3Dcn-qingdao&SignatureMethod%3DHMAC-SHA1&SignatureNonce%3D1324fd0e-e2bb-4bb1-917c-bd6e437f1710&SignatureVersion%3D1.0&TimeStamp%3D2014-08-15T11%253A10%253A07Z&Version%3D2014-08-28

    If the AccessKey ID is "testid" and the AccessKey secret is "testsecret", the key for the HMAC calculation is "testsecret&". The calculated signature is "SmhZuLUnXmqxSEZ%2FGqyiwGqmf%2BM=".

    The signed request URL, which includes the Signature parameter, is as follows:

    http://ess.aliyuncs.com/?TimeStamp=2014-08-15T11%3A10%3A07Z&Format=xml&AccessKeyId=testid&Action=DescribeScalingGroups&SignatureMethod=HMAC-SHA1&RegionId=cn-qingdao&SignatureNonce=1324fd0e-e2bb-4bb1-917c-bd6e437f1710&SignatureVersion=1.0&Version=2014-08-28&Signature=SmhZuLUnXmqxSEZ%2FGqyiwGqmf%2BM%3D

For more information about how to sign and submit a request, see Call an API operation.