0002-00000063

更新时间:
复制 MD 格式

Problem description

The signature format is invalid.

Causes

The Authorization header is malformed. The most common cause is a missing AccessKeyId value, which results in a double space between OSS and the colon (for example, OSS :).

Examples

The following request triggers this error. The Authorization header has a double space after OSS and no AccessKeyId value before the colon:

GET /test.txt HTTP/1.0
Date: Tue, 20 Dec 2022 08:48:18 GMT
Host: oss-example.oss-cn-hangzhou.aliyuncs.com
Authorization: OSS  :UNQDb7GapEgJkcde6OhZ9J*****

Solutions

Fix the Authorization header format

Construct the Authorization header using the following format:

Authorization = "OSS " + AccessKeyId + ":" + Signature
Signature = base64(hmac-sha1(AccessKeySecret,
            VERB + "\n"
            + Content-MD5 + "\n"
            + Content-Type + "\n"
            + Date + "\n"
            + CanonicalizedOSSHeaders
            + CanonicalizedResource))
Note

There must be exactly one space between OSS and AccessKeyId. The malformed example above has two spaces and no AccessKeyId value.

For the full signing specification, see Include signatures in the Authorization header.

Check all common causes

Work through this checklist if the error persists after fixing the header format:

  1. `AccessKeyId` — Verify the value is present and correct. A double space in OSS : indicates a missing AccessKeyId.

  2. `AccessKeySecret` — Verify the secret matches the key ID. Mixing credentials from different accounts is a common mistake.

  3. HTTP verb — Confirm the verb in your signature string matches the actual request method (GET, PUT, and so on).

  4. `Date` — Confirm the Date value in the signature string matches the Date header in the request exactly.

  5. `Content-MD5` and `Content-Type` — If these headers are included in the signature calculation, they must also appear in the request with the same values.

  6. `CanonicalizedOSSHeaders` — Include all OSS-specific headers (prefixed with x-oss-) in canonical order.

  7. `CanonicalizedResource` — Verify the resource path and query string are canonicalized correctly, including any subresources.

Use Alibaba Cloud SDKs to avoid manual signing

Alibaba Cloud SDKs handle signature calculation automatically, eliminating this class of errors. See Overview to get started with the SDK for your language.