The AnalyticDB for MySQL service authenticates the sender identity of each access request. Therefore, each request must contain signature information, regardless of whether it is sent through HTTP or HTTPS.

AnalyticDB for MySQL implements symmetric encryption with an AccessKey pair to verify the identity of the request sender. An AccessKey pair consists of an AccessKey ID and an AccessKey secret. The AccessKey ID and AccessKey secret are issued to you by Alibaba Cloud. You can apply for and manage them on the Alibaba Cloud website. The AccessKey ID is used to verify your identity, whereas the AccessKey secret is used to encrypt and verify the signature string on the server. The AccessKey secret must be kept confidential and only be known to Alibaba Cloud and you.

To sign a request, follow these steps:

  1. Create a canonicalized query string based on the request parameters.
    1. Arrange the request parameters (including all common and operation-specific parameters except Signature) in alphabetical order.
      Note If you use the GET method to send a request, the request parameters are included as a part of the request URL. The request parameters in the URL are placed after a question mark (?) and separated with ampersands (&).
    2. Encode the name and value of each request parameter in UTF-8. The encoding rules are as follows:
      • Uppercase letters, lowercase letters, digits, hyphens (-), underscores (_), periods (.), and tildes (~) do not need to be encoded.
      • Other characters must be percent encoded in %XY format. XY represents the ASCII code of the characters in hexadecimal notation. For example, the double quotation mark (") is encoded as %22.
      • Extended UTF-8 characters are encoded in %XY%ZA... format.
      • Spaces must be encoded as %20. Do not encode spaces as plus signs (+).
        Note Most libraries that support URL encoding, such as, comply with the Multipurpose Internet Mail Extensions (MIME) encoding rules of "application/x-www-form-urlencoded". If this encoding method is used, replace the plus signs (+) in the encoded strings with %20, the asterisks (*) with %2A, and %7E with tildes (~) to conform to the encoding rules.
    3. Use an equal sign (=) to connect the name and value of each URL-encoded request parameter as a key-value pair.
    4. Sort the key-value pairs connected by equal signs (=) in alphabetical order and separate them with ampersands (&).
  2. Create a string-to-sign from the encoded canonicalized query string based on the following rules:
    StringToSign = HTTPMethod + "&" + percentEncode("/") + "&" + percentEncode(CanonicalizedQueryString)                 

    Parameter description

    • HTTPMethod: the HTTP method used to submit a request, such as GET.
    • percentEncode("/"): the encoded value for the forward slash (/) based on the URL encoding rules described in the previous step, which is %2F.
    • percentEncode(CanonicalizedQueryString): the encoded string of the canonicalized query string constructed in the previous step, produced by following the URL encoding rules described in the previous step.
  3. Calculate the HMAC value of the string-to-sign as defined in RFC 2104.
    Note Use the SHA1 algorithm to calculate the HMAC value of the string-to-sign. The AccessKey secret appended by an ampersand (&) (ASCII:38) is used as the key for HMAC calculation.
  4. Encode the HMAC value in Base64 to obtain the signature string.
  5. Add the signature string to the request as the value of the Signature parameter.
    Note The signature string must be encoded like other parameters in the URL based on RFC 3986 rules before it can be submitted to the DNS Domain Name System (DNS) server as the final request parameter value.
    For example, the request URL of the DescribeDBClusters operation before signature is as follows:                

    The string-to-sign is as follows:


    Assume that the AccessKey ID is "testid", the AccessKey secret is "testsecret", and the key used for HMAC calculation is "testsecret&". The calculated signature string is uRpHwaSEt3J+6KQD//svCh/x+pI=.

    The signed request URL with the Signature parameter added is as follows: